Hi, Under the MS AD, the information „user must change password at next logon“ is reflected through three attributes: - the maxPwdAge attribute of the domain object, - the pwdLastSet of the user object - the userAccountControlof the user object 1) When the difference between the current date and pwdLastSet exceeds maxPwdAge, the password is expired, but nothing changes in AD. If you reset the password, please take care to update the pwdLastSet date. 2) there are complex relationships between the operations to update the password and the userAccountControlOf. This is detailed status encoded in the single bits of a 32-bit word along the following table: ADS_UF_SCRIPT = 1, // 0x1 ADS_UF_ACCOUNTDISABLE = 2, // 0x2 ADS_UF_HOMEDIR_REQUIRED = 8, // 0x8 ADS_UF_LOCKOUT = 16, // 0x10 ADS_UF_PASSWD_NOTREQD = 32, // 0x20 ADS_UF_PASSWD_CANT_CHANGE = 64, // 0x40 ADS_UF_ENCRYPTED_TEXT_PWD = 128, // 0x80 ADS_UF_TEMP_DUPLICATE_ACCOUNT = 256, // 0x100 ADS_UF_NORMAL_ACCOUNT = 512, // 0x200 ADS_UF_INTERDOMAIN_TRUST_ACCOUNT = 2048, // 0x800 ADS_UF_WORKSTATION_TRUST_ACCOUNT = 4096, // 0x1000 ADS_UF_SERVER_TRUST_ACCOUNT = 8192, // 0x2000 ADS_UF_DONT_EXPIRE_PASSWD = 65536, // 0x10000 ADS_UF_MNS_LOGON_ACCOUNT = 131072, // 0x20000 ADS_UF_SMARTCARD_REQUIRED = 262144, // 0x40000 ADS_UF_TRUSTED_FOR_DELEGATION = 524288, // 0x80000 ADS_UF_NOT_DELEGATED = 1048576, // 0x100000 ADS_UF_USE_DES_KEY_ONLY = 2097152, // 0x200000 ADS_UF_DONT_REQUIRE_PREAUTH = 4194304, // 0x400000 ADS_UF_PASSWORD_EXPIRED = 8388608, // 0x800000 ADS_UF_TRUSTED_AUTH_DELEGATION = 16777216, // 0x1000000 ADS_UF_PARTIAL_SECRETS_ACCOUNT = 67108864, // 0x4000000 You must take care of the bits „ADS_UF_PASSWD_CANT_CHANGE“, „ADS_UF_PASSWD_NOTREQD“, „ADS_UF_ENCRYPTED_TEXT_PWD“, „ADS_UF_DONT_EXPIRE_PASSWD“, „ADS_UF_PASSWORD_EXPIRED“. IF you maintain the password without using the native methods, you have to take care to update the pwdLastSet and reset the bit „ADS_UF_PASSWORD_EXPIRED“. For more information relate to the article under: http://www.jigsolving.com/activedirectory/user-account-attributes-part-5 Regards, Giovanni > > >---------------------------------------------------------------------- > >Message: 1 >Date: Wed, 20 May 2015 14:28:25 +0300 >From: Mihai Carabas <mihai.carabas@xxxxxxxxx> >To: "General discussion list for the 389 Directory server project." > <389-users@xxxxxxxxxxxxxxxxxxxxxxx> >Subject: flag "user must change password at next logon" > remains active after PassSync >Message-ID: > <CANg1yUvWfagVZjQjLgD-NUyh6CqwKGYFYhMh+668eN6_6EL+yg@xxxxxxxxxxxxxx> >Content-Type: text/plain; charset="utf-8" > >Hello, > >We've setup an 389 Directory Server on a Fedora21 and configured >synchronization with an Active Directory (running on an Windows2012R2 >Datacenter). We've managed to synchronize all the accounts from the 389DS >to AD (about 44000). All the accounts have the "user must change password >at next logon" in the AD, even if the users change their passwords on the >389DS, The password gets to the AD, but the flag for "user must change >password at next logon" still remains active (basically forces the user to >change their password on the Active Directory). Is there any workaround >for >this? > >The attribute passwordMustChange in the 389DS is set to Off. > >Thank you, >Mihai Carabas >University POLITEHNICA of Bucharest >-------------- next part -------------- >An HTML attachment was scrubbed... >URL: ><http://lists.fedoraproject.org/pipermail/389-users/attachments/20150520/c >760644b/attachment-0001.html> > >------------------------------ -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
