I have IDM 3.5.1. I am using the AD Driver to SYNCH with my vault and
the EDIR driver to SYNCH with my production eDirectory. Because IDM
treats all paasword changes as Administrative changes, I had to disable
the UP policy setting that forces users to change their password after
an administrative reset. Now, despite settings in user templates the
UP policy sets password expiration of new accounts for one year away.

I would like to be able to use the set destination attribute "Password
Expiration Time" and set this value to the current date an time so that
when new users login they are forced to reset their password. I cannot
get it to work. Does anyone have any ideas on how to fix this?

I have created this rule in the CREATION ruleset of the PUBLISHER
channel on my Production EDIR driver (but it doesn't work):
<description>Set immediate Password Expiration</description>
<comment xml:space="preserve">Expire the user's password upon account
<if-operation mode="nocase" op="equal">add</if-operation>
<if-class-name mode="nocase" op="equal">User</if-class-name>
<do-add-dest-attr-value class-name="User" name="Password Expiration
Time" when="after">
<arg-value type="time">
<token-time format="!JTIME" lang="en-US" tz="UTC"/>

bscrews's Profile: http://forums.novell.com/member.php?userid=6142
View this thread: http://forums.novell.com/showthread.php?t=340339