How to force SSPR users to change password after help desk reset

  • 7016365
  • 30-Mar-2015
  • 30-Mar-2015

Environment

Self Service Password Reset
SSPR 3.x

Situation

Configuring SSPR to force users to change a password set through the helpdesk module

Resolution

In eDiretory
    
This happens by default when using Universal Passwords.  The Universal Passwsord Policy setting "Do not expire the user's password when the administrator sets the password" is by default set to off.  

In Active Directory

Use SSPR to set the flag 'user must change password at next logon.'  
 
Using the SSPR Configuration Editor, create an entry under "Post Set Password Actions" to set the ldap attribute "pwdLastSet" to the value of "0." This action will then be performed after every helpdesk password set operation.

Steps:
1. Open SSPR Configuration Editor --> Modules --> Helpdesk
2. Locate "Post Set Password Actions (Advanced)"
3. Click "Add Value,"  enter name and description
4. Select ""ldap" from the dropdown
Select options --  
    Set "Attribute Name"   to   pwdLastSet
    Set "Attribute Value"  to  0

Alternatively, the setting "Helpdesk Actor Actions" could also be set to do the same thing.

Additional Information

AD accepts a write to the ldap attribute "pwdLastSet" with a value of "0" as being the same as the 'user must change password at next logon' flag.