Sign in
 
HomeLibraryWikiLearnGalleryDownloadsSupportForumsBlogs
Resources for IT Professionals >
Turn off "user must change password on first logon" in FIM 2010 Ad workflow

Answered Turn off "user must change password on first logon" in FIM 2010 Ad workflow

  • Monday, November 19, 2012 2:34 PM
     
     
    Sign In to Vote
    0

    Hi All,

    I want to be able to turn off the need for a user to change password on first logon. I am sure I need to use the userAccountControl flag in initial flow, but I do not know what to set this to. Can anyone tell me how I can achieve this ?

    also is there another attribute I need to change for this to work normally ?

    Thanks in advance ,

    Rob

    Rob


    • Edited by MasterPrawn Monday, November 19, 2012 2:34 PM Better title
    •  
     

All Replies

  • Monday, November 19, 2012 4:01 PM
     
     Answered
    Sign In to Vote
    0

    Unless you've marked a password never to expire, the pwdLastSet attribute controls this.  The only values you can write to pwdLastSet are 0 (which requires an immediate reset) and, if the current value is already 0, assigning -1 will set it to the current time, effectively delaying the user's next password reset as if they had just updated it.  It is not possible to write arbitrary values into pwdLastSet.

    If you really want non-expiring passwords--although this is not good security practice--refer here as a reference to userAccountControl's various bit flags: http://support.microsoft.com/kb/305144

     
  • Monday, November 19, 2012 4:32 PM
     
     
    Sign In to Vote
    0

    Aaa, I see.

    In fast I dont want non-exiring passwords, but what I want to do is to is:

    • Register user in Portal - email initial password to external (non domain) address
    • Let user login to a system via ADFS , since I am sending them in via that I cannot have them change the password on first logon. When they login with the created and emailed password they can use the OTPR SSPR feature to change the password to a more "friendly" password.

    Their passwords will expire, but i will handle that propblem with notifications later.

    So I was sure I needed to set the userAccountControl  flag to try this, but thanks, I will try using the -1 as an initial flow and see what is the result.

    Rob

     
  • Monday, November 19, 2012 7:35 PM
     
     
    Sign In to Vote
    0

    Hey Steve,

    when I flow -1 as a value, I get a syntax violation, when I change it back to 0 it works fine, should I be using a type string instead of number ?

    Rob

    Rob

     
  • Monday, November 19, 2012 7:49 PM
     
     
    Sign In to Vote
    0
    pwdLastSet is a 64-bit signed integer field in AD; I've never tried to assign to it from a Portal rule or action--only LDAP--so stringifying it is probably worth a try, but I can't anticipate whether that'll work or not.  Experience suggests that the FIM Sync engine will refuse to see it as anything other than numeric.