<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!![User-Account-Control Attribute]
Novell's [Microsoft Active Directory] Driver, by default, uses &quot;pseudo&quot; attributes to allow for setting the [User-Account-Control Attribute] in [Microsoft Active Directory]

!! Expiring Accounts in [Microsoft Active Directory]
If you map the eDirectory attribute of [Login Expiration Time] to the Active Directory attribute of accountExpires, an account in Active Directory expires a day earlier than the time set in eDirectory.
This happens because [Microsoft Active Directory] sets the value of the [accountExpires] attribute in full-day increments. The eDirectory attribute of [Login Expiration Time] uses a specific day and time to expire the account.

For example, if you set an account in eDirectory, to expire on July 15, 2007, at 5:00 p.m., the last full day this account is valid in [Microsoft Active Directory] is July 14. If you use the Microsoft Management Console  to set the account to expire on July 15, 2007, the eDirectory attribute of Login Expiration Time is set to expire on July 16, 2007 at 12:00 a.m. Because the Microsoft Management Console doesn’t allow for a value of time to be set, the default is 12:00 a.m.

The driver uses the most restrictive settings. You can add an additional day to the expiration time in Microsoft depending upon what your requirements are.

!! Retaining eDirectory Objects When You Restore Active Directory Objects
Any [Microsoft Active Directory] objects that are restored through the Active Directory tools delete the associated eDirectoryTM object when the objects are synchronized. The Active Directory driver looks for a change in the isDeleted attribute on the Active Directory object. When the driver detects a change in this attribute, a Delete event is issued through the driver for the object associated with the Active Directory object.

If you don’t want eDirectory objects deleted, you must add an additional policy to the Active Directory driver. Identity Manager 3.6.1 comes with a predefined rule that changes all Delete events into Remove Association events.

!!!Other Account Controls Items

!! [Password Expiration Time|pwd-Last-Set attribute]
[Microsoft Active Directory] does not store expiration time that way, rather it uses the [pwdLastSet], and all you can do is set that to 0, no other values. 

Setting the [pwdLastSet] to &quot;0&quot; will user to force &quot;password change on next login&quot;, as long as 
* there is a password expiration (??? interval) time set
* The password never expires is not set in AD.

!! Microsoft [User Security Attributes|http://msdn.microsoft.com/en-us/library/ms677943|target='_blank']
[User Security Attributes|http://msdn.microsoft.com/en-us/library/ms677943|target='_blank']

  
!! User must change password at next logon
* To force a user to change their password at next logon, set the [pwdLastSet] attribute to zero (0). 
* To remove this requirement, set the [pwdLastSet] attribute to -1. 
The [pwdLastSet] attribute cannot be set to any other value except by the system.

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
</pre>