May have been an issue for ever, but I don't know the best way to fix
this. In our 4.5 IDM environment we are connected to 4 AD domains and we
all know that password expiration time in eDir doesn't sync to AD for
the obvious reasons of not being able to set the pwdLastSet value in AD
but to either a 0 or -1. Some of our users only log into the AD domains
and never log into an eDirectory resource, so what ends up happening is
the 3 pw expiration notices get sent to the user, but if they decide not
to change it then they can still log into the AD resource because of the
'change password at next logon' has not been checked. The AD shipping
rules only sets the pwdLastSet to a 0 when the password expiration time
in eDir is changing and it is a later than the current time.

I was thinking about using the PWNotify driver to modify the password
expiration time to a day in the past....'only' if the third notification
was sent out, which that would change it to a time in the past and then
the pwdLastSet would get set to 0 in AD and life would be good. Not sure
if attributes can even be set on accounts with the pwnotify driver.

How are folks forcing users that only log into AD, to change their
password when the edir password expiration time is met.

Thanks in advance!

wferguson's Profile:
View this thread: