We are proceeding to enable the Password Manager functionality in Sailpoint ISC system. As a part of this we want to test the automated email being triggered for the near expiring users with password reset. For this email templates, the system is looking for the value from “Password Last Changed” flag available on AD account in Sailpoint system.
DO we have any API to update this date on the AD account of user ?
Password last set attribute is managed by your domain controllers. This is a calculation automatically applied when the domain controller receives the update password command. If you want to update the AD account in ISC as part of your workflow then you want to use the following endpoint. This will force the account to be updated. I user this end point as part of my urgent term process to update the AD account description and I use this in a workflow where I move the account into another OU this updates that mapping. This will only work in a workflow for your use case.
We are receiving “pwdlastset” from AD in form of epoch values. Also can you check and let us know how the “Password Last Changed” value in Sailpoint’s AD account can be updated based on the pwdlastset value being retrieved from AD system as the Sailpoint flag “Password Last Changed” is expecting date value.
I do not think you can update the “pwdlastset”. The way the Sailpoint has this working is that the date is already calculated by Active Directory in their Domain Controllers. When you aggregate it back and it will be populated on the User’s account. Once the aggregation happens Sailpoint will internally sent the notification based on the configuration you have done to sent out the email.
No, SailPoint ISC does not provide an API to directly update pwdLastSet / “Password Last Changed” on an Microsoft AD account. That attribute is controlled by AD itself.
For testing, easiest option is to reset the user password or manually modify pwdLastSet in AD using PowerShell/ADUC, then run account aggregation in ISC.