This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA® Identity Governance & Lifecycle Discussions

Discussions about RSA Identity Governance & Lifecycle.
DushyantSingh
Beginner
Beginner
‎2016-02-10 08:44 AM

User must change password at next logon in AD

Jump to solution

How could we enforce “user must change password at next logon” = true for new users in AD ? For this we are flowing pwdLastSet = 0 through IMG for new users , but this is not reflecting in AD.

 

pwd.PNG

Labels (1)
Reply
1 Solution

Accepted Solutions
BorisLekumovich
Contributor Contributor
Contributor
‎2016-02-10 09:23 AM

Jump to solution

try using the following parameter

 

 

Field Name

Value

Parameter Name

_AFX_FORCE_REGISTER_USER_CHANGE_PWD

Type

STRING

Default Value

-

Is the parameter required?

No

Is the parameter encrypted?

Yes

Display Name

Force Password Change

Mapping

${AccountTemplate.Password}

Description

While creating new user on AD, if you want to force reset password on first login, you need to add “_AFX_FORCE_REGISTER_USER_CHANGE_PWD” parameter to the capability “Create an Account on an AD server” and set its value to 1

View solution in original post

Reply
10 Replies
BorisLekumovich
Contributor Contributor
Contributor
‎2016-02-10 09:23 AM

Jump to solution

try using the following parameter

 

 

Field Name

Value

Parameter Name

_AFX_FORCE_REGISTER_USER_CHANGE_PWD

Type

STRING

Default Value

-

Is the parameter required?

No

Is the parameter encrypted?

Yes

Display Name

Force Password Change

Mapping

${AccountTemplate.Password}

Description

While creating new user on AD, if you want to force reset password on first login, you need to add “_AFX_FORCE_REGISTER_USER_CHANGE_PWD” parameter to the capability “Create an Account on an AD server” and set its value to 1

View solution in original post

Reply
UlrichSchulz
Beginner
Beginner
In response to BorisLekumovich
‎2016-02-10 09:33 AM

Jump to solution

Boris beat me on this

 

Just to add to this: The reason is that the connector needs to create the account first before it can set the password (your initial password for the account creation). You set pwdLastSet to 0, but then the connector sets the initial password and as a result you will see the current date in pwdLastSet. The special variable _AFX_FORCE_REGISTER_USER_CHANGE_PWD solves this issue.

Reply
VishwanathBaba1
Beginner
Beginner
In response to UlrichSchulz
‎2016-02-19 07:01 PM

Jump to solution

Boris,

I tried setting _AFX_FORCE_REGISTER_USER_CHANGE_PWD=1 (tried - 0, tried without pwdLastSet atribute, tried selecting 'Encrypted' check box), but even that did not work. Below is the AFX capability:

pastedImage_0.png

 

Any idea on why it's not working?

0 Likes
Reply
BorisLekumovich
Contributor Contributor
Contributor
In response to VishwanathBaba1
‎2016-02-21 03:27 AM

Jump to solution

what version are you testing on?

0 Likes
Reply
BorisLekumovich
Contributor Contributor
Contributor
In response to BorisLekumovich
‎2016-02-21 09:33 AM

Jump to solution

I've tested it on 6.9.1 P07

 

Here is my connector configuration

pastedImage_0.png

 

I've used the Test Connector Capabilities to test the different behavior.

 

First time, the value of the parameter  _AFX_FORCE_REGISTER_USER_CHANGE_PWD is 0. Here is a screenshot from AD

pastedImage_1.png

 

Second time, the value of the parameter  _AFX_FORCE_REGISTER_USER_CHANGE_PWD is 1. Here is a screenshot from AD

pastedImage_2.png

0 Likes
Reply
VishwanathBaba1
Beginner
Beginner
In response to BorisLekumovich
‎2016-02-22 12:19 AM

Jump to solution

I am on 6.9.1 P09. Using AFX test Connector capability. Result is still the same with  _AFX_FORCE_REGISTER_USER_CHANGE_PWD = 0:

 

pastedImage_0.png

0 Likes
Reply
BorisLekumovich
Contributor Contributor
Contributor
In response to VishwanathBaba1
‎2016-02-22 04:50 AM

Jump to solution

I guess I mixed up the test results in my previous reply

I've just tested it on v6.9.1 P09 now.

 

I've configured the parameter  _AFX_FORCE_REGISTER_USER_CHANGE_PWD = 1.

 

pastedImage_0.png

 

The account was created with pwdLastSet = (never)

 

pastedImage_3.png

 

Try on your environment with the same values I tried.

Reply
VishwanathBaba1
Beginner
Beginner
In response to BorisLekumovich
‎2016-02-22 10:24 AM

Jump to solution

Boris,

It worked. Thank you so much.

0 Likes
Reply
AndreaSaldamarc
Beginner
Beginner
In response to VishwanathBaba1
‎2017-05-05 10:47 AM

Jump to solution

Hi,

I have created a custom request form (Register User Form) in order to create an account on Active Directory.

 

To fulfill the request I use a Register User Command (Non-Visual).On AD Server the UserAccount is created but in Account Options tab,  the "User Must Change Password at Next Logon" field is selected (as shown in the following picture) and in my UseCase does not have selected!

 pastedImage_2.png

I have added a "_AFX_FORCE_REGISTER_USER_CHANGE_PWD" (Value 0) parameter in AFX Capabilities but when I run the form the form on AD I have always the parameter selected. Why?

pastedImage_1.png

NOTE: If I test the CreateAccount capability in AFX Test mode It work correctly. So the error depends on the form?

Thanks in advance

Kind regards

Andrea Saldamarco

0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.