• State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 95 subscribers
  • Views 5772 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Password validity period in password Policy

dezuykov
over 6 years ago

Hi,

I use OIM 8.0.

I created password policy for AD and the validity period depends on IdentityType  in table ADSAccount. 30 days for IdentityType="Service"  and 365 days for IdentityType="Admin".

However I can't create different password policy for different  IdentityTypes in the same domain.

I can assign different password policies only on different domains. 

How can I solve this problem ? May be I can use a script where I can calculate Validity period according to properties of ADSAccount object

Parents
  • 0 over 6 years ago

    What is the end that you are trying to achieve?

    This is not supported out of the box.  One approach might be to segregate your service accounts and admins into specific OUs, then use specific password policies on those OUs.  Otherwise, yes, you will have to write custom scripts to check validity period.

    Note, too, that the actual password expiration will be set by Active Directory and the password policy for the domain.

  • 0 over 6 years ago in reply to George Cerbone

    We have different types of accounts in AD. Passwords for Service accounts should be changed once a year. Passwords for user accounts should be changed once a month. And accounts  with diffrent types  can be in the same OU. 

    "Note, too, that the actual password expiration will be set by Active Directory and the password policy for the domain' - you mean that period which we set in password policy in OIM  doesn't make sence for AD ?  This period only for OIM and we can't set any password period for AD accounts by means of the OIM?

    You said I can use custom script, but I can't understand where I should execute it.... May be I can change policy object in password validation script (It seems to me that it is very bad idea).

Reply
  • 0 over 6 years ago in reply to George Cerbone

    We have different types of accounts in AD. Passwords for Service accounts should be changed once a year. Passwords for user accounts should be changed once a month. And accounts  with diffrent types  can be in the same OU. 

    "Note, too, that the actual password expiration will be set by Active Directory and the password policy for the domain' - you mean that period which we set in password policy in OIM  doesn't make sence for AD ?  This period only for OIM and we can't set any password period for AD accounts by means of the OIM?

    You said I can use custom script, but I can't understand where I should execute it.... May be I can change policy object in password validation script (It seems to me that it is very bad idea).

Children
  • 0 over 6 years ago in reply to dezuykov
    dezuykov said:
    you mean that period which we set in password policy in OIM  doesn't make sence for AD ?  This period only for OIM and we can't set any password period for AD accounts by means of the OIM?

    It means that the history and password expiration settings inside the Password Policies are for validation inside OneIM only and the AD doesn't care whatever you set here. To do that, you would need to implement a password filter and install that onto every DC in the AD. The One Identity Password Manager has such a component for the AD.