ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

PX Policy - How can you configure a PX Policy to update an AD Account so as to enable the User Must Change Password At Next Logon

book

Article ID: 239233

calendar_today

Updated On:

Products

CA Identity Suite CA Identity Manager

Issue/Introduction

How can you configure a PX Policy to update an AD Account so as to enable the User Must Change Password At Next Logon

Environment

IdentityMinder(Identity Manager)

Resolution

Create a new PX Policy which has a type of Submitted Task and configure the PX Policy to execute on Task Completed for the desired task (i.e Create User task for example).

Create the following data element to get the list of all the AD Accounts associated to the user:

Data Element Name=AD Account List
Category=Accounts
Type=Accounts
Function=Get
Endpoint Type=ActiveDirectory

Create the following data element to iterate over the list of the AD Accounts associated to the user:

Data Element Name=AD Account List Iterator
Category=System
Type=List Iterator
Function=Next Object
Value or List={'AD Account List'}

Create the following action element to set the User Must Change Password At Next Logon to be true on the AD Account:

Action Name=Set pwdLastSet
Category=Accounts
Type=Set Account Data by Identifier
Function=Set
Endpoint Type=ActiveDirectory
Account Identifier={'AD Account List Iterator'}
Attribute Name=User Must Change Password at Next Logon (pwdLastSet)
Value=true

Additional Information

Be sure to review the following KB Article which explains the IM task settings so that you are sure the AD Account will exist by the time the above PX Policy is executed. For example if you are using Identity Policies to assign provisioning roles responsible for creating accounts but if UserSyn=OnTaskCompletion then you would not be able to have the accounts created before the above PX Policy is executed. We suggest using PX Policies to assign provisioning roles responsible for creating accounts earlier in the task lifecycle and will want the task to be configured with AccountSync=OnEveryEvent so that the account is created before the above PX Policy is executed.

https://knowledge.broadcom.com/external/article/36216/explaining-im-task-settings-user-synchro.html