May have been an issue for ever, but I don't know the best way to fix this. In our 4.5 IDM environment we are connected to 4 AD domains and we all know that password expiration time in eDir doesn't sync to AD for the obvious reasons of not being able to set the pwdLastSet value in AD but to either a 0 or -1. Some of our users only log into the AD domains and never log into an eDirectory resource, so what ends up happening is the 3 pw expiration notices get sent to the user, but if they decide not to change it then they can still log into the AD resource because of the 'change password at next logon' has not been checked. The AD shipping rules only sets the pwdLastSet to a 0 when the password expiration time in eDir is changing and it is a later than the current time.

I was thinking about using the PWNotify driver to modify the password expiration time to a day in the past....'only' if the third notification was sent out, which that would change it to a time in the past and then the pwdLastSet would get set to 0 in AD and life would be good. Not sure if attributes can even be set on accounts with the pwnotify driver.

How are folks forcing users that only log into AD, to change their password when the edir password expiration time is met.

Thanks in advance!