User must change his password at next login flag

I'm confused of flag that user must change his password at next login, should I use 544 value in the useraccountcontrol (as I read in some AD posts) ?

but the value 32 : password is not required, what impact on system in term of the security

or should I set lastLogin to 0 with useraccountcontrol set to 215 (NORMAL Account)

July 28th, 2011 8:25pm

Set pwdLastSet to 0 if you wish to force users to change their password on first login.
More info here: http://msdn.microsoft.com/en-us/library/ms679430%28VS.85%29.aspx

//Henrik

 

Free Windows Admin Tool Kit Click here and download it now
July 28th, 2011 8:36pm

What Henrik says is correct.

Typically you can choose to flow 512 (Enabled Account) with the "initial flow only" flag. However for permanent flows it's better to use the bitand/bitor functions. See this thread for some extra info: http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/f8319338-e73c-42bd-99ed-6098d2f2e62e/

And here's an excellent article on UserAccountControl bitand/bitor stuff: How to Enable or Disable Accounts in Active Directory Domain Service Using FIM

July 28th, 2011 9:31pm
thnx guys, I was looking for "pwdlastset" attribute ...
Free Windows Admin Tool Kit Click here and download it now
July 28th, 2011 9:57pm

Hi, I'm new to this, so apologies if I'm asking in the wrong place:

I want to use FIM (via the Portal) to allow a user to reset their password, but as this may be done from an untrusted location, I want to then force them to reset their password when they next logon at their own desktop which is in a trusted environment - effectively making the password entered via the FIM portal a onetime password. How do I do this, can you help please ?

Thanks,

Graham

March 20th, 2014 6:55am

You are probably best off creating a new thread to get an answer to your question. Some people don't look at threads that are already answered.

It sounds like you want to leverage the SSPR component of FIM. You are able to publish both the password registration and reset portals to the internet if required. SSPR is quite secure (especially the email/sms OTP options) and it does enforce your domains password policy's. There are options to force the password change after this successfully completing password reset, but they seem like they would be pretty messy. 

Free Windows Admin Tool Kit Click here and download it now
March 20th, 2014 10:15pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics