Can someone point me in the right direction. I am trying to work out how I
can force a user logging into Active Directory to change their password if
it has been changed by an Administrator in the Vault.

We are using IDM 3.0 NW 6.5 sp3 and Windows 2003 sp1

I have found that if I set the AD attribute pwdLastSet = 0 in Active
Directory the user is forced to change the password at next logon.

However I am not sure how I would know that the adminsitrator has reset a
password rather than a User.

I think it is passwordExpirationTime.

If it is this, is there a way to say if passwordExpiration time is older
than current time (I am not sure how to get a current time list) then set
the pwdLastSet = 0

Is this the best way of implementing this requirement?