Saviynt Forums

Ekata · ‎12/28/2023

Hi Team,

We have a new requirement where the use case is for password change at the time of termination of AD account.

The requirement is as follows:

when disabling an AD account, the password for the account should be changed at least once.
as a nice to have: Microsoft recommends changing the password a second time to mitigate the pass-the-hash attack. Ideally, we would change the password twice.

Do we have any document on the above ask or any JSON parameter which we can use in AD connection to achieve the same?

Kindly advise.

Regards,

rushikeshvartak · ‎12/28/2023

{
"deleteAllGroups":"No",
"userAccountControl":"514",
"moveUsertoOU":"${if (user.customproperty40=='LOA'){'OU=LOA,OU=XX Users,DC=XX,DC=LOCAL'}else if(user.statuskey==0){'OU=Disable Accounts,OU=XX Users,DC=XX,DC=LOCAL'}else{'OU=On Hold User Accounts,OU=XX Users,DC=XX,DC=LOCAL'}}",
"password": "${randomPassword}"
}

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Ekata · ‎01/03/2024

Thanks. It worked, just a confirmation if we can set the random password twice as per the Microsoft recommendation?

BrandonLucas_BF · ‎01/03/2024

Probably not, because the account is now inactive and Saviynt does not allow change password tasks for inactive or disabled accounts.

I submitted this idea a while back. An upvote if you desire this functionality would help!

Change Password task generation for inactive | Saviynt Ideas Portal

Ekata · ‎01/03/2024

Thanks for the response.

Saviynt Forums

Password Change at the time of termination