When a new user (or a rehire) logs into AD for the first time, we want AD to enforce a password change.
For some context, in our environment, new users are provided a generated password on day one that gives them access to AD. The source of truth is an HR system that SailPoint reads data from and creates their AD account. We want SailPoint to also configure the accounts to force password reset upon first logon.
@jared-fox
While creating Ad account set ‘pwdLastSet’ attribute value to ‘true’. and set Sign-in method on identity profile as ‘Active Directory’ source
Hey Sagar,
Thanks so much for the answer. Please be patient with me, I’m kind of a noob. Where do I set the pwdlastset to true? I’m looking in account create in the AD source, but don’t see that as an option.
Also, am I setting the Source of Truth identity profile Sign-in Method to AD?
Hi Jared,
Go to Active Directory source–>Account Managerment–>Create Account and search attribute called ‘pwdLastSet’, I think Bydefault it is false update it as true. if you are unable to find attribute click on add mapping and add.
On your ‘HR system’ Identity profile–Setting you need to configure Sign In method as AD.
Great, thank you for explaining. I am going to try it out in sandbox and do some testing.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.
