Active Directory - pwdLastSet - update the value to force user to change password on next login

Does anyone know if you can use attributeSync or some other trickery to update AD pwdLastSet? Wondering if I can set this to 0 based on an identityAttribute rather than doing it in a rule, allowing me to force a password reset on next login.

If not, I’ll go the rule route but was curious if the connector had a way to handle this use case out of the box. Thanks!

Hi @questjj,

From the documentation linked here:

Under the Create Account profile, the pwdLastSet can be configured to a static value, to an Identity Attribute, or can be computed by using a custom transform (through the IDN API call here).

Hope this helps!

Thanks Kartik, but I’m looking for account updates, not on create. Use case is to create an account, then once a mobile device is provisioned, force a password reset on next login.

In that case, you might need to write a connector rule.

Right, was just checking if there’s other options similar to ac_newparent, etc that allow ad account manipulation without rules.

Hello @questjj

You can use an Identity Attribute and then attributeSync.

Hi @questjj !

Account Creates in IDN UI is Provisioning Policy of type CREATE on API. You can create a Provisioning Policy of type UPDATE, and it will work regardless the synced attributes. I uses it, for example, to update the manager in AD, because it uses a rule that generates the DN.

You can just copy the CREATE provisioning policy, or just put the attributes you want. Moreover, they has not to be equal, for example pwdLastSet can be a static transform TRUE in the CREATE pp, and some other transform in the UPDATE pp.

I will let the example of just copy. Fisrt you have to get the AD source ID (with list sources).

Then go to the GET provisinoing policy by usage type, enter id and in type parameter enter CREATE, this should bring what you see in the Create Account UI

Final step is to go to the POST Create Provisioning Policy, and paste the json obtained from the last GET call. Here is where you add/remove attributes (as I told, it does not have to be the same that the CREATE pp):

In the pwdLastSet attribute, you can develop the transform you wish:


You can test it with the preview button of the identity profile in a fake identity attribute, then use it inside “transform”: {} (and of course, remove later of identity profile.

Perhaps with this you will not be forced to use rule.

Only take care of removing the distinguished name and password attributes, at least.

A last observation, the UPDATE provisioning policy won’t appear in the idn UI, but it will works like the CREATE one.

thanks Julian, good idea on the update policy, ill see if it lets me manipulate the pwdLastSet attribute and report back.

it appears “pwdLastSet” isn’t allowed in attribute sync. Its in my create/update policies, but does not appear in attribute sync config. If someone can confirm that, that would be cool. If that’s the case, I’ll fall back to using a rule. This was still a worthwhile exercise to understand we can create an “update” provisioning policy that is different than a “create”.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.