Password must change is selected but user is not forced to change password
search cancel

Password must change is selected but user is not forced to change password


Article ID: 39462


Updated On:


CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite


IDM has a feature to force a the user to reset their password with the check box (Password Must Change). When an admin changes a user's  password with the password must change checkbox checked, the user is not prompted to change their password at the next login. Instead it allows the user to login.




Identity Manager


This issue is usually due to a mapping problem with the well-known attribute %ENABLED_STATE%.

Verify in the corporate directory.xml that there is an entry for %ENABLED_STATE% and that is is mapped to a physical attribute in your directory. For example,

%ENABLED_STATE% = caidmDIsabled: 

<ImsManagedObjectAttr physicalname="caidmDisabled" objectclass="caidmPerson" description="Disabled State" displayname="Disabled State" valuetype="String" wellknown="%ENABLED_STATE%" maxlength="0" hidden="true"/> 

Based on the above example, when you check 'password must change' in the IDM task, IDM updates 'caidmDisabled.' When the user logs into IDM they should be prompted for changing their password. 

If SiteMinder SSO is integrated and you have a different process and different attribute being used to set the disabled status you need to decide whether IDM or SM is going to hold the authoritative disabled state attribute and map the attributes accordingly.

IDM's Password Must Change functionality can update only the attribute mapped to its well-known %ENABLED_STATE%.

Additional Information

"Why is Disablestate being changed to 16777216 after adding a provisioning role to users?"