[389-users] flag "user must change password at next logon" remains active after PassSync
Mihai Carabas
mihai.carabas at gmail.com
Wed May 20 13:41:21 UTC 2015
On Wed, May 20, 2015 at 4:12 PM, Rich Megginson <rmeggins at redhat.com> wrote:
> On 05/20/2015 05:28 AM, Mihai Carabas wrote:
>
> Hello,
>
> We've setup an 389 Directory Server on a Fedora21 and configured
> synchronization with an Active Directory (running on an Windows2012R2
> Datacenter). We've managed to synchronize all the accounts from the 389DS
> to AD (about 44000). All the accounts have the "user must change password
> at next logon" in the AD, even if the users change their passwords on the
> 389DS, The password gets to the AD, but the flag for "user must change
> password at next logon" still remains active (basically forces the user to
> change their password on the Active Directory). Is there any workaround for
> this?
>
>
> 389 winsync does not sync password policy related attributes. You will
> need to handle this offline, using scripts.
>
> Does anyone has such an offline script? As I've seen, one must set the
pwdLastSet to -1 in order to disable the change at next logon.
I've managed to write a one-liner PowerShell, but I don't know if this is
the best method: Get-ADuser -filter "pwdLastSet -eq 0" | Set-ADuser
-ChangePasswordAtLogon $False
What method 389DS uses to set the user password on the Active Directory? As
I've seen here [1] if you use the SetPassword method, this flag isn't set.
[1] https://technet.microsoft.com/en-us/library/ee198797.aspx
Thank you,
Mihai
>
> The attribute passwordMustChange in the 389DS is set to Off.
>
> Thank you,
> Mihai Carabas
> University POLITEHNICA of Bucharest
>
>
> --
> 389 users mailing list389-users at lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20150520/d002d5cb/attachment.html>
More information about the 389-users
mailing list