Looking for some recommendation on below use case.
Background:
We have a LCS disabling AD account for users who didn’t logged in for long, this is set using pwdLastSet on AD account for the user.
LCS flow: ‘Active’ (AD enabled)–> ‘LPS98’ (AD disabled)
We use password sync group and now when this user changes the password the AD OOTB connector sets the pwdLastSet value as ‘false’ and doesn’t aggregate the latest value for pwdLastSet on AD account. AD account doesn’t get enabled ,needs another (single account) aggregation until AD account which helps perform identity refresh and eventually moving user to active LCS. This is causing users to be in disabled state even after changing password.
LCS Flow:
‘LPS98’ (AD disabled)–>Change password → AD aggregate → ‘Active’ (AD enabled)
Current workaround:
We created a workflow which queries successful password change for users in that LCS and performs single account aggregation on AD account, using scheduled trigger.
Want to know is there any better solution to address this issue using provisioning policy or workflow with specific trigger or any other way?
Seems like a common use case where user is changing password for AD account which is disabled should enable the account and bring back the pwdLastSet value.
@schattopadhy Hi, we use transform for LCS handling. We use status from HR feed to make the user active. We are checking pwdLastSet account attribute in transform, if greater than certain days then move to LCS,
Full aggregation able to bring in the pwdLastSet value. We are facing issue getting the same while single account aggregation after change password call (where AD OOTB connector sets this value as false)