ADAM pwdLastSetAre you sure you want to do this? My experience with setting
pwdLastSet to 0 in AD is that doing that will break the ability to do an
LDAP bind for the user, so they can't do an LDAP change password operation.
This would be a problem for ADAM users if the same behavior applies as LDAP
is the only way to do a change password operation. In AD, when you are set
to 0, the only way to change the password at next login is through a Windows
login.
I'd be interested to know if this really gets you the results you want. I
may go test this... :)
That said, I'm not sure what you did wrong from a delegation standpoint, but
I always recommend using the allowedAttributesEffective constructed
attribute to find out what attributes the currently bound user actually has
rights to modify. This is an essential troubleshooting step. Also, the ACL
editor in ADAM SP1 LDP is really nice and may help you see what you did
wrong.
Joe K.
----- Original Message -----
From: Bernier, Brandon (.)
To: ActiveDir@mail.activedir.org
Sent: Friday, July 14, 2006 9:30 AM
Subject: [ActiveDir] ADAM pwdLastSet
We need to delegate an ADAM Group the ability to change any other ADAM Users
pwdLastSet to 0 under a certain OU. This way we can force ADAM Users to
change their password if they meet specific criteria.
So we add an ACE to the parent OU where the ADAM Users live for WPRP on
pwdLastSet for Adam Users. However it keeps giving us "Insufficient Access
Rights". MSDN says the value is set by the system and we know that, but it
will allow ADAM Administrators to change this value to 0. So what am I
missing here?
btw- this is ADAM RTM.
-Brandon
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
