On Wed, May 20, 2015 at 4:12 PM, Rich Megginson <rmeggins@xxxxxxxxxx> wrote:
On 05/20/2015 05:28 AM, Mihai Carabas wrote:
Hello,
We've setup an 389 Directory Server on a Fedora21 and configured synchronization with an Active Directory (running on an Windows2012R2 Datacenter). We've managed to synchronize all the accounts from the 389DS to AD (about 44000). All the accounts have the "user must change password at next logon" in the AD, even if the users change their passwords on the 389DS, The password gets to the AD, but the flag for "user must change password at next logon" still remains active (basically forces the user to change their password on the Active Directory). Is there any workaround for this?
389 winsync does not sync password policy related attributes. You will need to handle this offline, using scripts.
Does anyone has such an offline script? As I've seen, one must set the pwdLastSet to -1 in order to disable the change at next logon.
I've managed to write a one-liner PowerShell, but I don't know if this is the best method: Get-ADuser -filter "pwdLastSet -eq 0" | Set-ADuser -ChangePasswordAtLogon $False
What method 389DS uses to set the user password on the Active Directory? As I've seen here [1] if you use the SetPassword method, this flag isn't set.
Thank you,
Mihai
The attribute passwordMustChange in the 389DS is set to Off.
Thank you,Mihai CarabasUniversity POLITEHNICA of Bucharest
-- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
