cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Set AD password at user's creation

Go to solution
Former Member

on ‎10-29-2014 4:18 PM

0 Kudos

Hi All,

I am working on IDM 7.2 SP8, after adding suers to IDM viw a flat file, I go to UI and add the PRIV AD ONLY, So I want to set a default password for these users with some options like : User must change password at next logon.

http://i.technet.microsoft.com/gg314976.Walther_ExchQA_1010_Fig6(en-us,MSDN.10).png

I tried with repository constant (type password) but I don't know where to set this constant ?

Many thanks for your help,

Linda

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

terovirta
Active Contributor
‎10-29-2014 4:24 PM
0 Kudos

Hello,

the userAccountControl in AD-attribute contains the value.

The actual value to be passed is a sum of these switch-values and they depend on your requirements:

http://support.microsoft.com/kb/305144

In IdM you can see this in the plugin task that creates the user, 546 is combination of NORMAL_ACCOUNT + PASSWD_NOTREQD + ACCOUNTDISABLE.

regards, Tero

Show replies
Show replies
Former Member
‎10-29-2014 4:56 PM
0 Kudos

Hi Tero,

Thank you very much for the help, but where to set the AD default password when the user is created (after adding the PRIV:AD:ONLY privilge) ?

Regards,

Linda

terovirta
Active Contributor
‎10-29-2014 6:06 PM
0 Kudos

The default password is what ever you have stored in standard password attributes, the standard password attribute is mapped to the AD-connectors. And by default the password attributes are empty.

Easiest way would be storing the password in UI task, but sounds like you're doing a bulkload.

Do you want to use randomly generated password or type the password in the flat file you're using to import users?

Will you be using the same password later to other systems also?

regards, Tero

Former Member
‎10-30-2014 8:27 AM
0 Kudos

Hi Tera,

I am not using the UI to store the password. I am using a file to load the users in IdM.

In the UI, I add for example the privilege PRIV:AD:ONLY at this point the user is created in the AD.

I need to set the same password for all these users after adding the privilege: PRIV:AD:ONLY and only for the AD system.


so here my answers:


Do you want to use randomly generated password or type the password in the flat file you're using to import users?

--> Not a random generated password and not typing the password in the flat file. This is why I choose to store this default password in a constant.

Will you be using the same password later to other systems also?

No

Thanks,

Linda

terovirta
Active Contributor
‎10-30-2014 10:57 AM
0 Kudos

All righty, the easiest way to achieve what you want to do is re-use the password generation from the HCM interface as follows:

Link following scripts to your import job:

Define the sap_addPassword as entry script to your job. This script will be called for each record your job processes.

Locate the script custom_initializePassword which enables SAP customers to use certain password in the password generation logic. sap_addPassword will call this script, if there is no value to be returned then random password is generated.

Enter the name of your global constant here. The logic in the scripts encrypts the value from your constant to the password attributes mx_password and mx_encrypted_password.

Enter the following attribute mapping to your job where you write the users to Id Store in the first place:

Post back here if you get in to trouble / if I forgot to include some details.

regards, Tero

Former Member
‎10-30-2014 11:41 AM
0 Kudos

Thank you very much Tero for your help,

Linda

Former Member
‎10-30-2014 2:47 PM
0 Kudos

Hi Tero,

I tried these values for useraccountcontrol : 512 or 544 but my users are created in the AD without the chekbox User must change password at next logon: still unchecked.

user has to be enabled with password to change at the first logon.

Any idea please ?

Linda

terovirta
Active Contributor
‎10-30-2014 3:04 PM
0 Kudos

Sorry, my memory failed, it seems to be pwdLastSet-attribute with value 0 that's visible in the first reply / screen shot.

regards, Tero

Former Member
‎10-30-2014 3:38 PM
0 Kudos

Hi Tero,

I set:

pwdLastSet = 0

useraccountcontrol=512

But still not able to check : User must change password at next logon

Any idea ?

Linda

terovirta
Active Contributor
‎10-31-2014 5:40 AM
0 Kudos

My reply was based on my notes and don't have access to AD in my current project where I could verify it again.

Maybe it is combination of userAccountControl and pwdLastSet, that's what I would try next.

Hopefully someone with AD in their current implementation responds to your other thread as this requirement is not rare one.

regards, Tero


jaisuryan
Active Contributor
‎11-19-2014 4:17 PM
0 Kudos

Hi Linda,

Did you resolve this?

If you need to check "User must change password at next logon" check box, then you need to add pwdLastSet as 0 in your "Set ADS Password" task.

If you add pwdLastSet = 0 in CreateADSUser task, the value gets over written by Set password task while setting the password.

Please check if this works and let us know.

Kind regards,

Jai

Answers (0)

Ask a Question