Removing "Change password at next login" from Change password OOTB

IdentityIQ (IIQ) IIQ Discussion and Questions
,
1

Which IIQ version are you inquiring about?

8.3

Please share any images or screenshots, if relevant.

PWD Example
PWD Example1900×648 36.7 KB

AD Example
AD Example1152×648 20.3 KB

Share all details about your problem, including any error messages you may have received.

I am trying to make the “Passwords” feature under Manage Accounts Quicklink stop checking the box next to “change password at next login” whenever a password is generated or created OOTB. Screenshots are present. I do not see how to do this in the password policy nor any where in global settings. Please help and assist.

2

Hi @derrickthomasvdot,

it happend because SP send pwdlastset = 0 with the new password or in case this account is never login, the pwdlastset is already set to 0.

Maybe, in the provising forms(Change Passowrd or Update) of AD applications you a setup to send 0 on this attribute. So, you can remove pwdlastset from forms.

3

Hi @derrickthomasvdot,

Account Attribute pwdLastSet should be false to unselect the “change password at next login” option. Please refer the below screen shot.

image
image1453×378 25.9 KB

regards,
Arun

4

I only see it as a string with no flag to set it with in my application xml file:

AttributeDefinition name=“pwdLastSet” type=“string”
Description>Timestamp of when password last set

Also, we use 2 ways to do this:

  1. Once a user has been provisioned, they need to reset their password after first login.
  2. On a password reset as I stated above. But for this one, we want the 'change password after next login" in Active Directory to not be checked.
5

Its possibile you dont find in xml. If you separte prov form, this configuration is on forms.
Check if you have set some forms in Provisioning Policy of app:
image
Later go to Forms section in Global config and search Update or Change Password form and delete pwdLastSet attribute from it.

Instead, for the creation, this attribute must be present in Create form, set to 0 for to force the change of pwd to the user.

If you set 0 to pwdLastSet, the user must change password. If send a new password, AD changes automatically the value with date of last change

1 Like
6

Hi @derrickthomasvdot,

You can change the type to boolean and add the pwdLastSet field to change password provisioning policy. If it is already there, you can change to false.
image

image
image1437×147 4.73 KB

Regards,
Arun

7

Please remember, I only want to change it when there is a password reset, not when we are creating a new user and provisioning is completed. is there a way to do that?

8

pwdlstset

9

This can be more of the self service / admin function were user’s password can be changed by either of them .

  1. When the password is changed by administrator sailpoint will set the pwdLastSet attribute value as 0 by default and thus it will force the user to change the password at next logon.
  2. When the password is changed by user itself , sailpoint will set the pwdLastSet as 0.

To avoid the pwdLastSet being set as 0 when changing the password through admin you can add a before provisioning plan rule, In the rule you can remove preExpire attribute from the attribute request for password change.

1 Like
10

Hi @derrickthomasvdot,

you can achieve this by before provisioning rule. Please find the below screen shot for reference.

image
image1573×259 16.3 KB

Regards,
Arun

11

@derrickthomasvdot I agree with @enistri_devo to add logic in change password Provisioning policy.

if you don’t want to put any logic in change password policy then you can choose @vishal_kejriwal1 suggestions.

in this case, you should be some details in plan like flow = “PasswordRequest” operation=“PasswordChange” ProvisioningPolicies = “ChangePassword” so you can easily identify it’s password change and you can modify the plan in before provisioning policy.

12

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.