IDM 3.5.1

I am hooking up an AD domain to IDvault that for the first time, the AD
workstations will not have Novell Client and need to handle
bidirectional password synch.

The issue I am having is that the Help Desk uses iManager in the
idvault to reset user's passwords. And, we have a custom webapp (not
using UserApp yet) where users can login with the temporary password and
change their password.

Now, when the Help Desk resets user password in idvault, I can trigger
off of nspmDistributionPassword changing, to set the AD pwdLastSet to 0,
so that when the domain user logs into AD with their temp password, they
have to change their password. That works fine.

However, how do I properly manage the instance where the user comes in
from the web and our webapp and changes their password in idvault, so
that I now do not want to trigger of the changing
nspmDistributionPassword and NOT set pwdLastSet=0 in AD, so that when
they next login to a domain workstation (or Citrix) with their new
password, they don't get prompted by AD to change it again?

Or maybe a better way to phrase the issue is what is best way to handle
the "administrative reset" of a user object in the idvault so that the
domain reacts accordingly and vice/verse? And can properly handle
passing that same status when the password has been changed in either
the domain and idvault.

Thanks in advance for any direction on this.

mmiltenberger's Profile:
View this thread: