Updating Global User's password using Provisioning Manager always turns on "User must change password at next login" option on its Access Control NT Account
search cancel

Updating Global User's password using Provisioning Manager always turns on "User must change password at next login" option on its Access Control NT Account

book

Article ID: 252186

calendar_today

Updated On:

Products

CA Identity Manager

Issue/Introduction

After creating a Global User and provisioned it to have correlated Windows NT account at the Access Control Endpoint, updating the Global User's password using Provisioning Manager always turns on "User must change password at next login" option at the NT Account, regardless of the settings of Account Template.

If we update the Corporate user's password via Identity Manager User Console's Reset User Password task then this problem doesn't occur

Environment

Release : IM 14.3, 14.4 and PIM 12.81 on Windows 2016

Cause

When we compare how the Windows NT Account is updated, between using IM User Console and Provisioning Manager, the difference is eTSelfChange attribute. Using IM User Console, Provisioning sends eTSelfChange=1 update while using Provisioning Manager the account update process is lacking this attribute update.

Resolution

Provisioning Manager is working by design, because we login as 'etaadmin' Administrator User to update the Global User's password. As the password is not updated by the Global User itself, Provisioning doesn't send eTSelfChange=1.

To workaround this problem, customers can use IM User Console or run the following etautil command on the Provisioning Server machine.

etautil -d im -u etaadmin -p <etaadmin's password> update 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta' eTGlobalUser eTGlobalUserName=<global user name> to eTSyncAccounts=1 eTSelfChange=1 eTPassword=<new password>

 

Notes:
 Replace <etaadmin's password> with etaadmin's password
 Replace <global user name> with the Global User name
 Replace <new password> with the new password to update