Set Password Last Set Property

Question

I'm trying to expire a users password by setting the pwdLastSet attribute to 0 and I figured I could do it in Adaxes pretty easily by setting the Password Last Set property, but I'm encountering two problems. First problem is that when I try to change it I only get three options: Unspecified, Never or set a specific date. Perhaps one of these is equal to setting it to 0, but I'm not sure because of my second problem which is whenever I try to modify this property I get a red exclamation mark in the tree view on the left of the Administration Console with an error that says "A device attached to the system is not functioning", if I click on that error then on the right-hand side of the Administration Console it shows the description and says "The parameter is incorrect. (Server: ourdomain.com)

My question is two fold. One why am I getting the error and two is this the best way to expire a password?

Thanks!

Answer 1

Hello,

To expire a user's password, you need to set the User must change password at next logon flag in the user's Account Options. This will force the user to change password next the user logs on. To set the flag with the help of a Business Rule, Scheduled Task or Custom Command, you need to add the Modify Account Options action that sets the flag. To do this:

1. Add the Modify Account Options action to your Business Rule, Scheduled Task or Custom Command.
2. In the Action Parameters section, check the first and the second checkboxes opposite the User must change password at next logon option.
   

As to why setting the Password Last Set property to a certain value caused the error, this happens because you are allowed to set the property only to Unspecified (which is the same as setting it to 0). This is the only value that should not cause the error. Setting the value to Never or a certain date will cause the error, because this is reserved to use by the system as per Active Directory design. You are not supposed to set these values manually.

Also, simply setting Password Last Set to 0 will not cause password expiration. A user is forced to change password at next logon if all of the following three conditions are met:

• The Password Last Set property is set to 0.
• The Password never expires flag in the user's account options is set to False.
• The User cannot change password flag in the user's account options is set to False.

If you use the Modify Account Options action mentioned above to force a user to change his/her password, the Password never expires and the User cannot change password flags will be set to False automatically. However, if, for some reason, you don't want to use the action, you'll need to manually set the flags to False in order to force the user to change a password.