A password change on A.D. is sent to IDM and then an password event is
coming back for IDM.
So this change password event is happening two times, and on this
trigger we send the enduser a password change notification.
To avoid sending this email two times we implemented code that is
checking on the pwdchangedtime in IDM. If this is in a configured
timeslot there will be a break.
This code is working fine for users who are in AD and in IDM. But there
are also users who are not in IDM, only in A.D.
Then the code cannot read the pwdchangedtime in IDM (because user does
not exist), and then there will be no break.
This users recieve this change password notification email two times.

Does anyone know to solve this issue for users who are only in A.D.

Here the code we use to break:
<comment xml:space="preserve">xxx</comment>
<if-operation mode="case" op="equal">modify-password</if-operation>
<if-class-name mode="nocase" op="equal">user</if-class-name>
<if-association op="available"/>
<do-set-local-variable name="now" scope="policy">
<token-time format="!CTIME" tz="UTC"/>
<do-set-local-variable name="lastchange" scope="policy">
<token-dest-attr name="pwdChangedTime"/>
<do-set-local-variable name="tdiff" scope="policy">
<token-xpath expression="$now - $lastchange"/>
<token-local-variable name="tdiff"/>
<if-xpath op="true">$tdiff &lt;= 30</if-xpath>
<if-xpath op="true">$tdiff = 14904362</if-xpath>

gschouten32's Profile: https://forums.netiq.com/member.php?userid=2546
View this thread: https://forums.netiq.com/showthread.php?t=49565