User Access Control

User-Account-Control Attribute#

Novell's Microsoft Active Directory Driver, by default, uses "pseudo" attributes to allow for setting the User-Account-Control Attribute in Microsoft Active Directory

Expiring Accounts in Microsoft Active Directory#

If you map the eDirectory attribute of Login Expiration Time to the Active Directory attribute of accountExpires, an account in Active Directory expires a day earlier than the time set in eDirectory. This happens because Microsoft Active Directory sets the value of the accountExpires attribute in full-day increments. The eDirectory attribute of Login Expiration Time uses a specific day and time to expire the account.

For example, if you set an account in eDirectory, to expire on July 15, 2007, at 5:00 p.m., the last full day this account is valid in Microsoft Active Directory is July 14. If you use the Microsoft Management Console to set the account to expire on July 15, 2007, the eDirectory attribute of Login Expiration Time is set to expire on July 16, 2007 at 12:00 a.m. Because the Microsoft Management Console doesn’t allow for a value of time to be set, the default is 12:00 a.m.

The driver uses the most restrictive settings. You can add an additional day to the expiration time in Microsoft depending upon what your requirements are.

Retaining eDirectory Objects When You Restore Active Directory Objects#

Any Microsoft Active Directory objects that are restored through the Active Directory tools delete the associated eDirectoryTM object when the objects are synchronized. The Active Directory driver looks for a change in the isDeleted attribute on the Active Directory object. When the driver detects a change in this attribute, a Delete event is issued through the driver for the object associated with the Active Directory object.

If you don’t want eDirectory objects deleted, you must add an additional policy to the Active Directory driver. Identity Manager 3.6.1 comes with a predefined rule that changes all Delete events into Remove Association events.

Other Account Controls Items#

Password Expiration Time#

Microsoft Active Directory does not store expiration time that way, rather it uses the pwdLastSet, and all you can do is set that to 0, no other values.

Setting the pwdLastSet to "0" will user to force "password change on next login", as long as

  • there is a password expiration (??? interval) time set
  • The password never expires is not set in AD.

Microsoft User Security Attributes#

User Security Attributes

User must change password at next logon#

  • To force a user to change their password at next logon, set the pwdLastSet attribute to zero (0).
  • To remove this requirement, set the pwdLastSet attribute to -1.
The pwdLastSet attribute cannot be set to any other value except by the system.

More Information#

There might be more information for this subject on one of the following: ...nobody