Hi all. We would like to set the password expiry date in the Active Directory during AD account provisioning. Our use case is as follows.
We will send the user a password to login to the AD, and the expiry date will be 14 days later for example. Once it exceeds 14 days, the user will not be able to login to the AD with that given password anymore. Appreciate any input on this matter.
Thank you.
I am not sure if it will be supported but did you try populating ms-DS-User-Password-Expiry-Time-Computedattribute in AD via the create policy?
Hello,
There is an attribute in the creation profile called “pwdLastSet”. By default, it comes as “false”, however, in your use case it would have to be “true”.
You could set up a transform like “dateCompare” adding 15 days, after the 15 days, you mark this option as “true”. This attribute means that the user will need to reset the password on the next login.
Hi Sharvari, thanks for the input! Unfortunately, this is not working for us.
Hi Matheus,
Thanks for the input! However, it may not fulfil our use case, but thank you for this useful info!
Did you get any error or issue while trying to use it?
Active Directory comes up with an attribute called pwdLastSet which has date time stamp in EPOCH format. It is not a boolean value.
You can disable AD account based on these values.
We use to disable AD account if the Password changed 90 days back.
I have not used/heard about setting Password expiry date, but can check and update for you.
Hi Sharvari,
There is no error when we are trying to provision this msDS-UserPasswordExpiryTimeComputed attribute. It is more like not being able to write changes to it, in which it returns AD timestamps showing 1 year later and not 14 days later for example.
Hi Krishna,
Thanks for the input. Any useful info is truly appreciated!
Maybe its a write protected attribute.
I guess it’s not something we can set the password expiry attribute, it will be like a GPO (Group Policy Object). For example every user in organization, password is valid for 90/120 days from the last password set. And it’s not like you can update any attribute in AD, permissions for the service account you are using needs to be considered.
I suggest you to have a word with your AD team.
What is the value you have passed for msDS-UserPasswordExpiryTimeComputed, It is interesting to see 1 year, what was the value before you set this attribute ?
You can’t set a specific password expiration date for a user in Active Directory. It’s not possible.
What you can do is set a Password Policy via Group Policy that applies to all accounts. I believe the default is something like 42 days. Previous NIST guidance was 90 days, but the current recommendation is "that businesses enforce password expiration and password resets only when a known compromise has occurred, or every 365 days " (source).
If you want to specifically set up a policy wherein new users need to change their initial password within X days of account creation, you can do this through a combination of Sailpoint-managed AD security groups and Fine-Grained Password Policies (which can be targeted at specific security groups).
Unfortunately, you can’t do date comparisons in a role assignment, but if you use Workflows to add newly-created AD accounts (trigger: Source Account Created) to a specific security group (action: Manage Access) that has a Fine-Grained Password Policy applied with a max password age of, say, 14 days, then have a separate workflow set up with a Source Account Updated trigger that removes the user from that security group when their pwdLastSet AD attribute changes, that should effectively let you ensure that users have a 14-day max password age just for when they’re newly onboarded, while still maintaining a general 90-day max password age for everyone else.
(note: when defining the fine-grained password policy, take into account how early before a user’s start date their account may be created; if accounts are created up to a week before they start, you will need to pad your max password age in your fine-grained password policy accordingly.)
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.