Monday, November 19, 2012 2:34 PM
I want to be able to turn off the need for a user to change password on first logon. I am sure I need to use the userAccountControl flag in initial flow, but I do not know what to set this to. Can anyone tell me how I can achieve this ?
also is there another attribute I need to change for this to work normally ?
Thanks in advance ,
- Edited by MasterPrawn Monday, November 19, 2012 2:34 PM Better title
Monday, November 19, 2012 4:01 PM
Unless you've marked a password never to expire, the pwdLastSet attribute controls this. The only values you can write to pwdLastSet are 0 (which requires an immediate reset) and, if the current value is already 0, assigning -1 will set it to the current time, effectively delaying the user's next password reset as if they had just updated it. It is not possible to write arbitrary values into pwdLastSet.
If you really want non-expiring passwords--although this is not good security practice--refer here as a reference to userAccountControl's various bit flags: http://support.microsoft.com/kb/305144
- Marked As Answer by Markus VilcinskasMicrosoft Employee, Owner Wednesday, November 28, 2012 11:19 PM
Monday, November 19, 2012 4:32 PM
Aaa, I see.
In fast I dont want non-exiring passwords, but what I want to do is to is:
- Register user in Portal - email initial password to external (non domain) address
- Let user login to a system via ADFS , since I am sending them in via that I cannot have them change the password on first logon. When they login with the created and emailed password they can use the OTPR SSPR feature to change the password to a more "friendly" password.
Their passwords will expire, but i will handle that propblem with notifications later.
So I was sure I needed to set the userAccountControl flag to try this, but thanks, I will try using the -1 as an initial flow and see what is the result.
Monday, November 19, 2012 7:35 PM
when I flow -1 as a value, I get a syntax violation, when I change it back to 0 it works fine, should I be using a type string instead of number ?
Monday, November 19, 2012 7:49 PMpwdLastSet is a 64-bit signed integer field in AD; I've never tried to assign to it from a Portal rule or action--only LDAP--so stringifying it is probably worth a try, but I can't anticipate whether that'll work or not. Experience suggests that the FIM Sync engine will refuse to see it as anything other than numeric.