and more in a single search tool across platforms. Read the announcement here. |
12/28/2023 03:21 AM
Hi Team,
We have a new requirement where the use case is for password change at the time of termination of AD account.
The requirement is as follows:
when disabling an AD account, the password for the account should be changed at least once.
as a nice to have: Microsoft recommends changing the password a second time to mitigate the pass-the-hash attack. Ideally, we would change the password twice.
Do we have any document on the above ask or any JSON parameter which we can use in AD connection to achieve the same?
Kindly advise.
Regards,
Solved! Go to Solution.
12/28/2023 08:30 AM
{
"deleteAllGroups":"No",
"userAccountControl":"514",
"moveUsertoOU":"${if (user.customproperty40=='LOA'){'OU=LOA,OU=XX Users,DC=XX,DC=LOCAL'}else if(user.statuskey==0){'OU=Disable Accounts,OU=XX Users,DC=XX,DC=LOCAL'}else{'OU=On Hold User Accounts,OU=XX Users,DC=XX,DC=LOCAL'}}",
"password": "${randomPassword}"
}
01/03/2024 06:06 AM
Thanks. It worked, just a confirmation if we can set the random password twice as per the Microsoft recommendation?
01/03/2024 10:54 AM
Probably not, because the account is now inactive and Saviynt does not allow change password tasks for inactive or disabled accounts.
I submitted this idea a while back. An upvote if you desire this functionality would help!
Change Password task generation for inactive | Saviynt Ideas Portal
01/03/2024 11:14 PM
Thanks for the response.