I just tested this with ADAM SP1 1. A delegated admin was able to set pwdLastSet to 0 and -1.
2. Once "expired" by setting to 0, the account could not bind as expected. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Friday, July 14, 2006 1:59 PM To: [email protected] Subject: Re: [ActiveDir] ADAM pwdLastSet This is sort of a hard problem. If our investigations regarding the behavior of pwdLastSet are true in ADAM, then you don't really have a reasonable way of forcing a password change or expiring it outside of the defined policy. I still haven't had a chance to test it today. :) What you might consider is doing something application level, where you implement some sort of self service password reset feature. For example, you might do an administrative reset of the password and then send the user an email with a link that allows them to a website that allows them to log in and essentially do a password reset behind the scenes using a privileged service account. The link might contain a signed, encrypted query string that contains the user UPN and a timestamp that can be used for expiring the request. If you've got a 2nd viable login method such as a certificate or securID token or (far worse) verification questions, that would be less subject to theft than a simple URL. Since you'll almost certainly be using a web-based tool for password change operations anyway, this might be reasonable. I'm curious what other people think about this. I haven't even thought about this aspect of ADAM identity life cycle really. Joe K. ----- Original Message ----- From: "Bernier, Brandon (.)" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Friday, July 14, 2006 12:09 PM Subject: RE: [ActiveDir] ADAM pwdLastSet I don't want to do this. One of the directories we are moving in is coming from iPlanet and you can do whatever you want there. That team has asked us to look into ramifications using pwdLastSet and from testing and your input, it's a bad idea. Basically we just need to expire someones password, but need them to be able to bind back in and change their password. I also wanted to test using msDS-UserPasswordExpired but that cannot be changed either. Any other ideas to delegate expiring a Users password in this case? Thanks for the help! -Brandon -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Friday, July 14, 2006 11:36 AM To: [email protected] Subject: Re: [ActiveDir] ADAM pwdLastSet ADAM pwdLastSetAre you sure you want to do this? My experience with setting pwdLastSet to 0 in AD is that doing that will break the ability to do an LDAP bind for the user, so they can't do an LDAP change password operation. This would be a problem for ADAM users if the same behavior applies as LDAP is the only way to do a change password operation. In AD, when you are set to 0, the only way to change the password at next login is through a Windows login. I'd be interested to know if this really gets you the results you want. I may go test this... :) That said, I'm not sure what you did wrong from a delegation standpoint, but I always recommend using the allowedAttributesEffective constructed attribute to find out what attributes the currently bound user actually has rights to modify. This is an essential troubleshooting step. Also, the ACL editor in ADAM SP1 LDP is really nice and may help you see what you did wrong. Joe K. ----- Original Message ----- From: Bernier, Brandon (.) To: [email protected] Sent: Friday, July 14, 2006 9:30 AM Subject: [ActiveDir] ADAM pwdLastSet We need to delegate an ADAM Group the ability to change any other ADAM Users pwdLastSet to 0 under a certain OU. This way we can force ADAM Users to change their password if they meet specific criteria. So we add an ACE to the parent OU where the ADAM Users live for WPRP on pwdLastSet for Adam Users. However it keeps giving us "Insufficient Access Rights". MSDN says the value is set by the system and we know that, but it will allow ADAM Administrators to change this value to 0. So what am I missing here? btw- this is ADAM RTM. -Brandon List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
