AD and Self Service Password Reset
First, I am new to both SAP and IdM. I am trying to set up the self service password reset and have done so according to the documentation using the SAP Provisioning Framework task "SetPasswordOnActiveDirectoryUser-Windows-VB". I set up a seperate dispatcher running under a Windows domain account with Domain Administrator rights specifically for doing the password reset jobs. My environment is IdM 7.1 sp5 against a Windows 2008 Active Directory.
The password reset works as expected with both the VB script and from a LDAP pass setting the userPassword to the MX_PASWORD value. My issue is that if the user is locked out, then it takes 2 times through the process to first unlock the user then change the password. I cannot seem to get the account modified by unlocking the account then changing the password all within the same provisioning task. In the pass I have used both userAccountControl=544 and lockoutTime=0 to unlock the user (not at the same time) and userPassword=%MX_PASSWORD% to set the password with the changetype=modify.
The really odd thing is that although the task is an Ordered Group and I have set up each of the subtasks as first reset the password then enable the user and the job log shows them run in that order, the AD controller shows the unlock occuring first every time. Any help would be much appreciated.