Our tenant receives new user data from an HR-based source of truth. During onboarding, SailPoint uses a transform to generate a temporary password that is easy for users to remember during orientation and is intended to be changed immediately after their first login.
However, we’ve discovered that SailPoint is not automatically setting the “User must change password at next logon” flag in Active Directory for these new accounts:
As a temporary workaround, we’ve been setting this flag manually in AD. To automate this, we attempted to configure the Active Directory source settings in SailPoint by going to the Create Account section and setting the pwdLastSet attribute to 0 with a Static value. Unfortunately, this did not work during today’s onboarding.
Hey @pattabhi thanks for the reply. If I’m reading this correctly, if I set the value to static, it automatically is read as -1/false? If that is the case, how do I set it to true? I assumed Static would let us use the preconfigured password supplied by the transform and 0 would set the flag after the first logon. Please pardon my lack of understanding.
I know why there is a confusion, there should be a drop-down value true or false which will avoid confusion … but the current behavior is: we need to write manually: true or false.
As per document this attribute: Static value can only be set as true or false. {while radio buttons select as Static}
When Static value set to true, the pwdLastSet attribute value is set to 0 in backend and it selects the User must change password on logon checkbox for the Active Directory user object’s account in ADUC.
When Static value set to false, the pwdLastSet attribute value is set to -1 in backend and sets this attribute to the current time, and it deselects the User must change password on logon checkbox.
