How to force SSPR users to change password after help desk reset

  • 7016365
  • 30-Mar-2015
  • 30-Mar-2015


Self Service Password Reset
SSPR 3.x


Configuring SSPR to force users to change a password set through the helpdesk module


In eDiretory
This happens by default when using Universal Passwords.  The Universal Passwsord Policy setting "Do not expire the user's password when the administrator sets the password" is by default set to off.  

In Active Directory

Use SSPR to set the flag 'user must change password at next logon.'  
Using the SSPR Configuration Editor, create an entry under "Post Set Password Actions" to set the ldap attribute "pwdLastSet" to the value of "0." This action will then be performed after every helpdesk password set operation.

1. Open SSPR Configuration Editor --> Modules --> Helpdesk
2. Locate "Post Set Password Actions (Advanced)"
3. Click "Add Value,"  enter name and description
4. Select ""ldap" from the dropdown
Select options --  
    Set "Attribute Name"   to   pwdLastSet
    Set "Attribute Value"  to  0

Alternatively, the setting "Helpdesk Actor Actions" could also be set to do the same thing.

Additional Information

AD accepts a write to the ldap attribute "pwdLastSet" with a value of "0" as being the same as the 'user must change password at next logon' flag.