Saviynt Forums

NM · ‎03/05/2024

Hi,

We are currently planning to create AD accounts from saviynt, we have to give user an option to set the password at AD first login so for that as per the documentation we have set pwdlastset to 0 but as an initial or random password we need to set for account which variable can we use for that in create account json?(In my opinion they have to fill a random password assigned to account at the time of creation only after which they will be prompted to set a new password. )

2) At time of disable or enable of account we don't want to change the password of the account and keep it same as user created at the first login prompt, but once account is enabled, we want to prompt user to again set a new password for the account..

How can we achieve the above 2 scenarios?

Thanks!

Sandeep · ‎03/05/2024

You can use "unicodePwd" to set the initial password

NM · ‎03/05/2024

Hi @Sandeep , Is it required? Or does AD connection automatically update the password for user account?

rushikeshvartak · ‎03/05/2024

Setting Initial Password at Account Creation: You can generate a random password at the time of account creation and provide it to the user. Then, you can set the userPassword attribute in the JSON payload with the generated random password. Here's an example JSON payload for creating an account with a random initial password:

{
  "userName": "exampleUser",
  "userPassword": "RandomPassword123",
  "pwdLastSet": 0
}

Maintaining Password During Account Enable/Disable: To maintain the password when enabling or disabling an account, you don't need to modify the password-related attributes in the JSON payload. You can simply enable or disable the account without changing the password. Here's an example JSON payload for enabling or disabling an account:

For disabling an account:

{
"userName": "exampleUser",
"enabled": false
}

For enabling an account:

{
"userName": "exampleUser",
"enabled": true
}

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

NM · ‎03/05/2024

@rushikeshvartak , at the time of enable account we need to prompt user for password change. How can we do that?

rushikeshvartak · ‎03/05/2024

In Active Directory, the pwdLastSet attribute indicates when the user's password was last changed. If an account is enabled and the password change at next logon is required, the pwdLastSet attribute will be set to 0, indicating that the password must be changed at the next logon.

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

rushikeshvartak · ‎03/05/2024

https://forums.saviynt.com/t5/identity-governance/set-up-pwdlastset-in-change-password-json-in-ad/m-...

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

NM · ‎03/05/2024

@rushikeshvartak Understood, what about at the time of create account? do we have to explicitly pass "unicodePwd" in create account json or will the password be set if we have defined password policy?

NM · ‎03/06/2024

@rushikeshvartak @Sandeep

NM · ‎03/07/2024

Hi @rushikeshvartak @Sandeep , Does Reset password in enable account json resets the password and we can send the new one over the email to user?

Saviynt Forums

AD Account disable and creation