I don't want to do this. One of the directories we are moving in is coming from iPlanet and you can do whatever you want there. That team has asked us to look into ramifications using pwdLastSet and from testing and your input, it's a bad idea. Basically we just need to expire someones password, but need them to be able to bind back in and change their password. I also wanted to test using msDS-UserPasswordExpired but that cannot be changed either. Any other ideas to delegate expiring a Users password in this case? Thanks for the help!
-Brandon -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Friday, July 14, 2006 11:36 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] ADAM pwdLastSet ADAM pwdLastSetAre you sure you want to do this? My experience with setting pwdLastSet to 0 in AD is that doing that will break the ability to do an LDAP bind for the user, so they can't do an LDAP change password operation. This would be a problem for ADAM users if the same behavior applies as LDAP is the only way to do a change password operation. In AD, when you are set to 0, the only way to change the password at next login is through a Windows login. I'd be interested to know if this really gets you the results you want. I may go test this... :) That said, I'm not sure what you did wrong from a delegation standpoint, but I always recommend using the allowedAttributesEffective constructed attribute to find out what attributes the currently bound user actually has rights to modify. This is an essential troubleshooting step. Also, the ACL editor in ADAM SP1 LDP is really nice and may help you see what you did wrong. Joe K. ----- Original Message ----- From: Bernier, Brandon (.) To: ActiveDir@mail.activedir.org Sent: Friday, July 14, 2006 9:30 AM Subject: [ActiveDir] ADAM pwdLastSet We need to delegate an ADAM Group the ability to change any other ADAM Users pwdLastSet to 0 under a certain OU. This way we can force ADAM Users to change their password if they meet specific criteria. So we add an ACE to the parent OU where the ADAM Users live for WPRP on pwdLastSet for Adam Users. However it keeps giving us "Insufficient Access Rights". MSDN says the value is set by the system and we know that, but it will allow ADAM Administrators to change this value to 0. So what am I missing here? btw- this is ADAM RTM. -Brandon List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx