OIM11g - disable set password on first logon + force challenge questions
Hi all,
I was initially trying to work out how to stop forcing users to set their passwords on first login. Initially by using the Force Password Change at First Login flag.
I found the following in metalink:
BUG:10256559: DOCUMENT THAT XL.FORCEPASSWORDCHANGEATFIRSTLOGIN NO LONGER USED IN 11G
The system property "Force Password Change at First Login" is not used in Oracle Identity Manager 11g Release 1 (11.1.1). Setting this property has no effect.
I have also tried setting all of the flags on a user relating to this manually, but that hasn't worked either e.g.
usr_change_pwd_at_next_logon
usr_pwd_must_change
I saw the following workaround in metalink:
How To : How to Disable Change Password At Next Logon in OIM 11g
Go to EM and change the ssoEnabled flag as per below instructions
1. Go to WebLogic Domain -> <Domain Name>
2. Right click and open 'System MBean Browser'
3. In the 'System MBean Browser' left panel, go to 'oracle.iam' -> Server:<server name> --> Application:oim --> XML Config --> Config --> XMLConfig.SSOConfig --> SSOConfig
4. Set the SsoEnabled flag to 'true' and apply
Which works, however it also prevents challenge questions being forced on a user, which we want.
Does anyone know how to do this?
Thanks!
yes, system property doesn't work in this case. you can try the simple test case
1. create a new user
2. login to oim db and update usr set usr_change_pwd_at_next_logon=0 for newely created user. (default value is 1)
3.commit the change in db
4. close the browser or clear cache. sometime it pick the value from cache. better close the the browser and open it
5. login with the new user it won't ask for the password change but it will force to set question.
Similar Messages
-
Hi,
I have an odd issue whereby if I set "user must change password" on an AD account, the end user cannot logon, they're simply taken back to the OWA login page as if their password is incorrect.
My setup is as follows:
outer TMG -- uses a listener for email.contoso.com and is configured for no authentication.This uses a publishing rule to publish the inner TMG server. This server is not a domain member.
inner TMG - uses a listener for email.contoso.com and is configured for NLTM\kerberos negotiation with forms authentication (Windows Active Directory). This server is a domain member and use a publishing rule to publish the internal CAS. Allow users to change
password is selected in the publishing rules.
Exchange 2010 SP1 - uses integrated windows and basic authentication. Has the appropriate registry key configured to allow users to change their AD password on first logon.
I've registered an snp for "http/email.contoso.com mailserver-dc1", all SSL certificates being used are valid and my configuration used to allow users to login and change their password with "user must change password on first login"
set in AD.
If I launch a web browser on an internal server and point it to email.contoso.com I'm immediately presented with a generic Windows authentication request (similar to what's seen in ADFS) rather than the standard OWA page. No matter what I do, I cannot login
and change my password using the correct URL. However if I point my browser at
http://192.168.4.10/owa I'm prompted to login and I can change my password using the sam credentials.
The only recent changes made are:
- Disabling SSL 3.0 and enabling TLS (http://www.isaserver.org/articles-tutorials/configuration-security/improving-ssl-security-forefront-threat-management-gateway-tmg-2010-published-web-sites.html)
- Replacing the TMG listener certificates so that they now use SHA2 rather than SHA2 (certificates are trusted on each TMG server)
Looking on the outer TMG and the DC logs I can see schannel errors which I believe are related to the problem. TMG monitoring also shows "Failed connection attempt: 1907 The user'spassword must be changed before logging on for the first time"
I've checked that my inner TMG and DC are using the same certificate for server authentication and gone through this guide:
http://blogs.technet.com/b/keithab/archive/2012/02/29/setting-up-and-troubleshooting-ldaps-authentication-in-forefront-tmg-2010.aspx
If I try to use ldp.exe on the inner TMG, I get the error in the pic below
Thanks
IT Support/EverythingHi,
You could try to analyze the TMG tracing and try the troubleshoot steps in the blog below.
TMG 2010 – FBA, troubleshooting the change password feature
http://blogs.technet.com/b/isablog/archive/2012/05/07/tmg-2010-fba-troubleshooting-the-change-password-feature.aspx
Best Regards,
Joyce -
Unable to change password while first logon on windows server 2008 R2 SP1 system
Hi Team,
Ad team has created new account for me with change password on first logon setting
When I logged in on Windows Server 2008 r2 SP1 system with my new credentials I get a error message stating that
"You must change your password before logging on the first time. For assistance, conatct your system administrator or technical support"
Concern:
I do not get password change screen on first logon on the server. How should I change my password on first logon?Hi,
I got resolution for above issue
Run ==> type "tsconfig.msc" ==> double click "RDP-TCP" ==> change security layer to
RDP Security layer ==> Apply ==> OK -
How to disable change password at next logon field
Hello,
I want to disable change password at next logon field,so could anyone tell me how to do that & what is
the column name in USR table for change password at next logon field.
Thank-You
Rahul ShahFor 9.x
Open FormMetaData.xml and comment the below lines
<Attribute name="-31" label="createuser.label.changePwdAtNextLogon" displayComponentType="CheckBox" variantType="String" dataLength="1" map="Users.Change Password At Next Logon" />
<AttributeReference editable="true" optional="true">-31</AttributeReference>
Now open design console go to Administration->>System Configuration and search for keyword XL.ForcePasswordChangeAtFirstLogin. Set this value to FALSE.
Dont forget to restart the server. -
Disable Change password on first time login in portal
Hi Experts,
This question is with regard to the UME user.
Portal asks its users to change the password on the first login. How can i remove this property. whatever password the admin assigns should be used to login at all the times. The portal should not ask to change the password on first login.
Regards,
KMHi Kaustubh,
Refer this link:
how to disable the "change of password" field in login page of SAP portal?
Regards,
jithin -
How to disable/set password expiration to None in EBS
HI ,
I just clone a 11i , and was asked to set all users password not to expire . I have studied FND_USER_PKG.UPDATEUSER , but has no idea how to do it . Can anyone help ? Thanks
FelixHi;
Please check below which could be helpful for your issue:
Password information-Where ebs pass keep
Re: Password information
password expiration for EBS users
how to set password expiration for EBS users
password polciy
Password policy
Regard
Helios -
Forgot password for users for whom challenge questions are not set
Hi,
I have a scenario here where initially the environment property for force setting challenge questions during first login was not set to true.
But it has been set to true later. But for users created prior setting this property to true, the forgot password link is taking to a page to answer challenge questions which obviously is not working.
Is there anyway to handle this scenario without doing ADF customization? For example say, to force all previous users also to set challenge questions for whom the challenge questions are not set.Hi, In your scenario, since user has forgotten his/her password and he has not set his answers to questions, so the only option left is calling Help Desk. Help desk guys should educate end users that go to OIM->My Information -> Set Security Questions. This is the only easy way I can think of.
HTH,
~Abhishek -
Hi,
Oracle Database 11g Release 11.2.0.1.0 on Windows 2008 R2 x64
Application Express 4.1.0.00.32
I am importing a workspace from our dev system to 100 databases and I want to make sure the developers are not forced to change password on first loging otherwise this is going to waste a lot of time
I am running
alter session set current_schema = APEX_040100;
begin
wwv_flow_security.g_security_group_id := 10;
wwv_flow_security.g_user := 'ADMIN';
wwv_flow_security.g_import_in_progress := true;
for r in (select *
from apex_040100.wwv_flow_fnd_user
where security_group_id <> 10) loop
wwv_flow_fnd_user_api.edit_fnd_user(p_user_id => r.user_id,
p_user_name => r.user_name,
p_change_password_on_first_use => 'N',
p_first_password_use_occurred => 'Y');
end loop;
commit;
wwv_flow_security.g_import_in_progress := false;
end;
However, this doesn't seem to do anything and doesn't return an error either. When I query the apex_040100.wwv_flow_fnd_user table nothing has changed
I've searched the APEX documentation (http://docs.oracle.com/cd/E23903_01/welcome.html) for wwv_flow_fnd_user_api and there is only one match that just lists the package name, not even the spec
thanks in advance
RobertOk now I had a bit more time to look at your code.
I would do it like this:
declare
t_secgrp_id apex_040100.apex_applications.workspace_id%type;
t_existing_appl apex_040100.apex_applications.application_id%type := <YOUR APP number HERE>;
begin
select workspace_id
into t_secgrp_id
from apex_applications
where application_id = t_existing_app;
wwv_flow_security.g_security_group_id := t_secgrp_id;
wwv_flow_security.g_user := 'ADMIN';
wwv_flow_security.g_import_in_progress := true;
for r in (select *
from apex_040100.wwv_flow_fnd_user
where security_group_id t_secgrp_id)
loop
wwv_flow_fnd_user_api.edit_fnd_user(p_user_id => r.user_id,
p_user_name => r.user_name,
p_change_password_on_first_use => 'N',
p_first_password_use_occurred => 'Y');
end loop;
commit;
wwv_flow_security.g_import_in_progress := false;
end;especially finding out the secgrp..
Regards,
Richard
blog: http://blog.warp11.nl
twitter: @rhjmartens
If this question is answered, please mark the thread as closed and assign points where earned.. -
my kids set a password on my lock screen. is there any way i can bypass or disable the password.
Use the Settings app.
Settings > General > Passcode Lock > Enter the Passcode > Turn Off Passcode -
HT4557 When I set my airplay onscreen code it disables the password and vice versa
When trying to sync my Apple TV with my Mac...in trying to set the onscreen code the pass is nulled and when setting password the onscreen code is nulled.
Hi,
Normally if a Mac boots to a desktop screen with an option to enter a 4 or 6 digit code, then the machine has been locked by Find My Mac (an iCloud service).
The only way to have this unlocked is either type in the 4 or 6 digit code that was set up on the iCloud webpage when locking the mac or take the machine to an Apple Store or authorized service provider to have them unlock the machine but they will need to verify that your account locked the machine etc.
-Dib. -
Setting password for Autologon Default user in registry
Hi friends
I don't know is this the right forum to ask this question:
me along with my colleges are doing some exercises to improve our learnings, so we have setup a test lab which has a test DC & 10 test client computers running windows 8.1
as we know, when computers join to domain, the item related to Autologon is removed from netplwiz.
I know that to be able to use Autlogon feature in joined computers, we can restore the above item by creating the required items via any method like the following:
$regpath="HKLM:\software\Microsoft\Windows NT \CurrentVersion\Winlogon "
New-ItemProperty -path $regpath -Name AutoAdminLogon -PropertyType String -Value "1" -Force
$regpath="HKLM:\software\Microsoft\Windows NT\CurrentVersion\Winlogon"
New-ItemProperty -path $regpath -Name DefaultDomainName -PropertyType String -Value %USERDOMAIN% -Force
$regpath="HKLM:\software\Microsoft\Windows NT \CurrentVersion\Winlogon "
New-ItemProperty -path $regpath -Name DefaultUsername -PropertyType String -Value “administrator” -Force
the above lines provide required info for Autologon, except the password of the user.because of this we have to sit at every test client & open up netplwiz & manually enter the password for default Autologon user.
is it possible to define the password for this user as well in the registry? so that we add it to above lines & save them as a PS script & run that PS script on our test systems so that we don't have to sit at each test client
& manually set password for default user for Autologon.
I mean I need when we power on our test clients, they automatically login via domain administrator credentials & be ready to use
thanksThe documentation for this might prove helpful:
http://technet.microsoft.com/en-us/library/cc939702.aspx
According to the above:
If you disable automatic logon by setting the value of AutoAdminLogon to 0, delete the value of
DefaultPassword, which is stored and displayed in the registry editor in plain, unencrypted text.
(Hint: I found this very quickly by searching for "autoadminlogon" using a search engine.)
-- Bill Stewart [Bill_Stewart] -
Hi,
I have a fully patched Windows 2008 SP2 Terminal Server and a fully patched Windows 7 client.
I have logged into the Windows 2008 SP2 Terminal Server server with a test account via RDC before.
When I try to log in via RDC to the 2008 TS with a test account which has been marked with the setting "User must change password at next logon" I get the RDC message "You must change your password before logging on the first time. For assistance, contact your system administrator or technical support." I need to force the user to change their password once it has been issued, any ideas on how this can be done?
Thanks,
DanThis does not resolve my issue all the way. I'm having the same problem; When i'm "deploying" users, i always want the users to set their own passwords. Ok, so I then set the auth mode to "RDP Security layer". It seemed to work fine, and it does for that
special purpose.
Just like Daniel, my clients are connecting to our terminal server from several/different "customer-domains" So, they can't logon locally(on their local computer) and change their password, it has to be done THROUGH the terminal server.
But if I turn on RDP Security Layer, users can't use remoteapp through tsgw they only get: "Your Remote Desktop Connection Failed because the remote computer cannot be authenticated" Any ideas?
Also, our terminal servers is round robin based in a farm. So users connect to: tsfarm.domain.com(yes, public a-record which resolves to two internal adresses) This is because, we're using a wilcard *.domain.com as SSL certificate.
But, when i'm using this, our clients sometimes get double auth when they login. I only get the double auth when tsfarm.domain.com resolves to server A, but the session broker wants the user to be on server B.(load balancing)
This does not occur when SSL is enforced, any ideas? -
MDT First logon no administrator? Gpupdate?
We got strange issue these days that when we deploy a machine, the deployment process stops after first logon. There is no error, it just stops.
After some research we found out that the user isn't an administrator at first logon. It seems the gpo that makes sure this account is local admin is not working properly. So if we type gpupdate /force and restart the machine the deployment process will
continue as if there has been no problem at all!
Do I need to search for a "gpupdate /force" before first time logon? Feels like a dirty way..Thx for the reply!
The image is indeed sysprepped before importing in MDT.
When I look the unattend.xml file there is indeed this command:
<RunSynchronous>
<RunSynchronousCommand wcm:action="add">
<Description>EnableAdmin</Description>
<Order>1</Order>
<Path>cmd /c net user Administrator /active:yes</Path>
So this seems not to be the issue. Is there something else I can look at?
edit (some more info): We are deploying Win8.1 machines, there should be no issue with the sysprep like Win7 machines had (sysprep rearm count). The autologon is working so the account is not "disabled", only issue is that the user account that is
logging in is has no administrator privileges. After a gpupdate the user gets administrator privileges (because of a gpo setting). But it should not be that our GPO needs to give this user administrator privileges I guess (user account needs to have admin
rights before logon first time). -
Open Dir, SMB, AFP, Changing Password on first login (Windows)
Hey all...
I've read up on some documentation but have run into a roadblock trying to set up file sharing for Open Directory user accounts with OS X Server 10.5.6.
I have AFP and SMB (and Open dir) services enabled.
Using all default settings I am able to share files using other Windows and OS X machines.
Under the Open directory service settings in Server Admin, I tried to enforce that user passwords be reset on first log in.
When I log in using OS X, I get prompted to change my password and it works fine. When I'm using Windows (XP in this case), the username/password prompt that windows presents outright rejects the initial password. So when forcing users to change passwords, Windows users can no longer log in to share files.
I've attached the SMB log that correspond to the attempted log in from the Windows machine.
[2009/01/28 18:12:49, 0, pid=1913] /SourceCache/samba/samba-187.7/samba/source/auth/authodsam.c:opendirectory_smb_pwd_checkntlmv1(383)
opendirectoryuser_auth_and_sessionkey gave -14161 [eDSAuthNewPasswordRequired]
[2009/01/28 18:12:49, 0, pid=1913] /SourceCache/samba/samba-187.7/samba/source/auth/authodsam.c:opendirectory_opendirectory_ntlm_passwordcheck(598)
I'd appreciate any advice =)Hey all...
I've read up on some documentation but have run into a roadblock trying to set up file sharing for Open Directory user accounts with OS X Server 10.5.6.
I have AFP and SMB (and Open dir) services enabled.
Using all default settings I am able to share files using other Windows and OS X machines.
Under the Open directory service settings in Server Admin, I tried to enforce that user passwords be reset on first log in.
When I log in using OS X, I get prompted to change my password and it works fine. When I'm using Windows (XP in this case), the username/password prompt that windows presents outright rejects the initial password. So when forcing users to change passwords, Windows users can no longer log in to share files.
I've attached the SMB log that correspond to the attempted log in from the Windows machine.
[2009/01/28 18:12:49, 0, pid=1913] /SourceCache/samba/samba-187.7/samba/source/auth/authodsam.c:opendirectory_smb_pwd_checkntlmv1(383)
opendirectoryuser_auth_and_sessionkey gave -14161 [eDSAuthNewPasswordRequired]
[2009/01/28 18:12:49, 0, pid=1913] /SourceCache/samba/samba-187.7/samba/source/auth/authodsam.c:opendirectory_opendirectory_ntlm_passwordcheck(598)
I'd appreciate any advice =) -
Disable Initial Password Reset.
Hello;
Is it possible to set that the user do not change the initial password
when created or even if the SAP Administrator reset it, the first time
the user log on the system.
Thanks;
Ali GumusogluHi Ali,
Yes, it is possible; for that follow below steps:
1.Start the Config Tool C:\usr\sap\<SID>\<engine-instance>\j2ee\configtool\configtool.bat
Ex: D:\usr\sap\F02\JC00\j2ee\configtool --> configtool.bat
2.Goto cluster-data --> Global server configuration --> services --> com.sap.security.core.ume.service
3.Click on below property and set value is FALSE and click and "SET" button.
"ume.logon.security_policy.password_change_required = FALSE"
4.Save.
5. Restart the engine.
Now
1. Login with an "Administrator"
2. Create a user and define a password like "init123"
3. logoff from "administrator"
4. login with new user; password is "init123"
now system will not ask to change password.
Reward Points; if it is usefull.
Thanks,
Nagaraju Parlapalli
Maybe you are looking for
-
I have just recently purchased the new iPhone 4s and it is great. I am now using Siri a lot,however I don't like the fact that in the UK only the man's voice is available. I think we should have a choice of a Lady / a man assistant and not just a man
-
After a hard drive failure, trying to re-load PS and Lightroom from Adobe
Hard drive replacement means I've no Lightroom software of Photoshop. It was LR 3 so now I need it before upgrading to LR5, PS was a newer version but where do I find the Adobe proof I had bought them?
-
Since updating Safari to version 5.1.3 and later (now 5.1.5) my HP 2605dn printer balks on printing some Web page with the error message, "Document too complex to print" and I have to recycle the power and empty the print queue. This wasn't a problem
-
Hello there I recently purchased photoshop on the internet on an email, however I already have used the photoshop trial on a different adobe account. So now I have purchased adobe photoshop on an adobe account, the adobe account on creative cloud is
-
When u want to upload a photo to Facebook from iPhone it says This app doesn't have access to you photos or videos You can enable access in privacy setting I tried to fix it but it didn't work Does anyone know how to ?