Environment
Identity Manager 4.x
Situation
When changing the password on a user in Active Directory and that password synchronizes to the Identity Vault, the user's password is expired and the user is required to immediately change their password.
Resolution
Configure password synchronization from Active Directory to use the Distribution password, or set check "Do not expire the user's password when the administrator sets the password" on the password policy assigned to the user.
To make the change to use the Distribution Password for synchronization, set
Publish passwords to NDS password: false
Publish passwords to Distribution Password: true
Publish passwords to Distribution Password: true
in the Global Config Values for Password Synchronization on the properties of the Active Directory driver.
To set "Do not expire the user's password when the administrator sets
the password" to true (checked) on the password policy assigned to the user. First find out what password policy is being used by the user, with the View Policy Assignments task under the Passwords role in iManager. Then edit the properties of that password policy (Password Policies task under the Passwords role in iManager). Select the Universal Password tab and check the box next to "Do not expire the user's password when the administrator sets
the password" and save.
Cause
Currently with IDM 4.7 Active Directory Driver packages, the default the Global Config Values for Password Synchronization on the properties of the Active Directory driver set to:
Application accepts passwords from Identity Manager: true
Identity Manager accepts passwords from application: true
Publish passwords to NDS password: true
Publish passwords to Distribution Password: false
Require password policy validation before publishing passwords: true
Reset user's external system password to the Identity Manager password on failure: true
Notify the user of password synchronization failure via e-mail: true
Identity Manager accepts passwords from application: true
Publish passwords to NDS password: true
Publish passwords to Distribution Password: false
Require password policy validation before publishing passwords: true
Reset user's external system password to the Identity Manager password on failure: true
Notify the user of password synchronization failure via e-mail: true
If the password change is synchronized to the Identity Vault as a NDS password, eDirectory in the Identity Vault considers that a "admin" type password change. If the universal password assigned to the user in the the Identity Vault has "Do not expire the user's password when the administrator sets the password" set to false, in the password policy, then the user's password is expired immediately.