This content has been marked as final. Show 6 replies
If you are changing the password from IDM, to set the "Change on next login" flag to true in AD:
1. Map expirePassword in IDM to WS_PasswordExpired field in AD
<AccountAttributeType id='33' name='expirePassword' syntax='boolean' mapName='WS_PasswordExpired' mapType='string'>
2. Set user.accounts[AD].expirePassword to true when check in the user view
As per your post, there are 2 AD in your system. Are they different systems and configured using 2 different resources in SIM?
Is this setting getting changed in the same AD where the password is changed or the other Active Directory?
1. If these are 2 different mutually exclusive systems, then password comes to IDM after change in AD no 1, the workflow for PasswordSync gets triggered and sets the password in AD no 2. There the expire flag is set to false in the 2nd case. You can verify this in the audit logs.
If this is the case,you can modify the password sync workflow to set the expirePassword true for the 2nd AD resource. Out of the box workflow is "Synchronize User password" - check in SetPasswordView Activity.
Hope it helps.
Thank you for very much for this interesting information but it is not exactly what happens.
Here is the situation:
An AD account operator resets the password of a user using Native AD tools. He checks: User Must change password. The password set by the administrator is caught by the password catcher, sent to IDM. IDM synchronize this password to the 2nd AD. The second AD catch the password, sends it back to Waveset. Waveset sends this password to the 1st AD, removing all the flags.
Have you ever encountered this problem?