Our password policy is set to change password once every 24 hours (minumum password age is set to 1). We have set pwdLastSet in CREATE policy to be “true” but when the account is created in AD, value of pwdLastSet is set to the time when the account was created. Presuming this is due when the account was created a password would have been set but then how do we set pwdLastSet to 0 at the time of creation without using a rule?
Hi @bhargavpRowe,
this is the normal behavior of pwdLastSet. pwdLastSet can contais 0 or a date.
0 means that the user need to change the pwd at nest login and the when contains a dete, indicates when the user changed the pwd.
Usually whena an account is created, you need send 0(or true) and the user must to change the pwd. On modify, you can not send it(or send false) because in every case, Active directory refill automatically this attribute.
1 Like
Thank you @enistri_devo
I do have pwdLastSet set to (true) but when the user is created in AD and when i check the value it seems like it sets it the date and time when the account was created.
1 Like
Hi @bhargavpRowe ,
AD automatically sets pwdLastSet to a timestamp when the account is created and the password is set. To override this behavior and set pwdLastSet = 0 , I believe it may require explicit post-creation modification using either SailPoint rules or external scripts like PowerShell.
1 Like
@enistri_devo this is the default behavior but if you want to do some changes you can use a after modify rule and call a PowerShell script to do some modification at active directory end
1 Like
Thanks everyone. I have got a after create rule to resolve this, I just wanted to know if there was anything else I could have done to avoid creating another rule.
Yup after create rule and calling a PowerShell to update the attribute works fine. I just wanted to see if there was a way to do this without a rule.