OIM11g - disable set password on first logon + force challenge questions

Similar Messages

• TMG 2010 publishing Exchange 2010 OWA cannot change password if user must change password at first logon is set

  Hi,
   I have an odd issue whereby if I set "user must change password" on an AD account, the end user cannot logon, they're simply taken back to the OWA login page as if their password is incorrect.
  My setup is as follows:
  outer TMG -- uses a listener for email.contoso.com and is configured for no authentication.This uses a publishing rule to publish the inner TMG server. This server is not a domain member.
  inner TMG - uses a listener for email.contoso.com and is configured for NLTM\kerberos negotiation with forms authentication (Windows Active Directory). This server is a domain member and use a publishing rule to publish the internal CAS. Allow users to change
  password is selected in the publishing rules.
  Exchange 2010 SP1 - uses integrated windows and basic authentication. Has the appropriate registry key configured to allow users to change their AD password on first logon.
  I've registered an snp for "http/email.contoso.com mailserver-dc1", all SSL certificates being used are valid and my configuration used to allow users to login and change their password with "user must change password on first login"
  set in AD.
  If I launch a web browser on an internal server and point it to email.contoso.com I'm immediately presented with a generic Windows authentication request (similar to what's seen in ADFS) rather than the standard OWA page. No matter what I do, I cannot login
  and change my password using the correct URL. However if I point my browser at
  http://192.168.4.10/owa I'm prompted to login and I can change my password using the sam credentials.
  The only recent changes made are:
  - Disabling SSL 3.0 and enabling TLS  (http://www.isaserver.org/articles-tutorials/configuration-security/improving-ssl-security-forefront-threat-management-gateway-tmg-2010-published-web-sites.html)
  - Replacing the TMG listener certificates so that they now use SHA2 rather than SHA2 (certificates are trusted on each TMG server)
  Looking on the outer TMG and the DC logs I can see schannel errors which I believe are related to the problem. TMG monitoring also shows "Failed connection attempt: 1907 The user'spassword must be changed before logging on for the first time"
  I've checked that my inner TMG and DC are using the same certificate for server authentication and gone through this guide:
  http://blogs.technet.com/b/keithab/archive/2012/02/29/setting-up-and-troubleshooting-ldaps-authentication-in-forefront-tmg-2010.aspx
  If I try to use ldp.exe on the inner TMG, I get the error in the pic below
  Thanks
  IT Support/Everything

  Hi,
  You could try to analyze the TMG tracing and try the troubleshoot steps in the blog below.
  TMG 2010 – FBA, troubleshooting the change password feature 
  http://blogs.technet.com/b/isablog/archive/2012/05/07/tmg-2010-fba-troubleshooting-the-change-password-feature.aspx
  Best Regards,
  Joyce

• Unable to change password while first logon on windows server 2008 R2 SP1 system

  Hi Team,
  Ad team has created new account for me with change password on first logon setting
  When I logged in on Windows Server 2008 r2 SP1 system with my new credentials I get a error message stating that
  "You must change your password before logging on the first time. For assistance, conatct your system administrator or technical support" 
  Concern:
  I do not get password change screen on first logon on the server. How should I change my password on first logon?

  Hi,
  I got resolution for above issue
  Run ==> type "tsconfig.msc" ==> double click "RDP-TCP" ==> change security layer to
  RDP Security layer ==> Apply ==> OK

• How to disable change password at next logon field

  Hello,
  I want to disable change password at next logon field,so could anyone tell me how to do that & what is
  the column name in USR table for change password at next logon field.
  Thank-You
  Rahul Shah

  For 9.x
  Open FormMetaData.xml and comment the below lines
  <Attribute name="-31" label="createuser.label.changePwdAtNextLogon" displayComponentType="CheckBox" variantType="String" dataLength="1" map="Users.Change Password At Next Logon" />
  <AttributeReference editable="true" optional="true">-31</AttributeReference>
  Now open design console go to Administration->>System Configuration and search for keyword XL.ForcePasswordChangeAtFirstLogin. Set this value to FALSE.
  Dont forget to restart the server.

• Disable Change password on first time login in portal

  Hi Experts,
  This question is with regard to the UME user.
  Portal asks its users to change the password on the first login. How can i remove this property. whatever password the admin assigns should be used to login at all the times. The portal should not ask to change the password on first login.
  Regards,
  KM

  Hi Kaustubh,
  Refer this link:
  how to disable the "change of password" field in login page of SAP portal?
  Regards,
  jithin

• How to disable/set password expiration to None in EBS

  HI ,
  I just clone a 11i , and was asked to set all users password not to expire . I have studied FND_USER_PKG.UPDATEUSER , but has no idea how to do it . Can anyone help ? Thanks
  Felix

  Hi;
  Please check below which could be helpful for your issue:
  Password information-Where ebs pass keep
  Re: Password information
  password expiration for EBS users
  how to set password expiration for EBS users
  password polciy
  Password policy
  Regard
  Helios

• Forgot password for users for whom challenge questions are not set

  Hi,
  I have a scenario here where initially the environment property for force setting challenge questions during first login was not set to true.
  But it has been set to true later. But for users created prior setting this property to true, the forgot password link is taking to a page to answer challenge questions which obviously is not working.
  Is there anyway to handle this scenario without doing ADF customization? For example say, to force all previous users also to set challenge questions for whom the challenge questions are not set.

  Hi, In your scenario, since user has forgotten his/her password and he has not set his answers to questions, so the only option left is calling Help Desk. Help desk guys should educate end users that go to OIM->My Information -> Set Security Questions. This is the only easy way I can think of.
  HTH,
  ~Abhishek

• Wwv_flow_fnd_user_api.edit_fnd_user to set change password on first use

  Hi,
  Oracle Database 11g Release 11.2.0.1.0 on Windows 2008 R2 x64
  Application Express 4.1.0.00.32
  I am importing a workspace from our dev system to 100 databases and I want to make sure the developers are not forced to change password on first loging otherwise this is going to waste a lot of time
  I am running
  alter session set current_schema = APEX_040100;
  begin
       wwv_flow_security.g_security_group_id := 10;
       wwv_flow_security.g_user := 'ADMIN';
       wwv_flow_security.g_import_in_progress := true;
       for r in (select *
                 from apex_040100.wwv_flow_fnd_user
            where security_group_id <> 10) loop
            wwv_flow_fnd_user_api.edit_fnd_user(p_user_id => r.user_id,
                                          p_user_name => r.user_name,
                                          p_change_password_on_first_use => 'N',
                                          p_first_password_use_occurred => 'Y');
       end loop;
       commit;
       wwv_flow_security.g_import_in_progress := false;
  end;
  However, this doesn't seem to do anything and doesn't return an error either. When I query the apex_040100.wwv_flow_fnd_user table nothing has changed
  I've searched the APEX documentation (http://docs.oracle.com/cd/E23903_01/welcome.html) for wwv_flow_fnd_user_api and there is only one match that just lists the package name, not even the spec
  thanks in advance
  Robert

  Ok now I had a bit more time to look at your code.
  I would do it like this:
  declare
    t_secgrp_id     apex_040100.apex_applications.workspace_id%type;
    t_existing_appl apex_040100.apex_applications.application_id%type := <YOUR APP number HERE>;
  begin
    select workspace_id
    into   t_secgrp_id
    from   apex_applications
    where  application_id = t_existing_app; 
    wwv_flow_security.g_security_group_id := t_secgrp_id;
    wwv_flow_security.g_user := 'ADMIN';
    wwv_flow_security.g_import_in_progress := true;
    for r in (select *
              from apex_040100.wwv_flow_fnd_user
              where security_group_id t_secgrp_id)
    loop
      wwv_flow_fnd_user_api.edit_fnd_user(p_user_id                      => r.user_id,
                                          p_user_name                    => r.user_name,
                                          p_change_password_on_first_use => 'N',
                                          p_first_password_use_occurred  => 'Y');
    end loop;
    commit;
    wwv_flow_security.g_import_in_progress := false;
  end;especially finding out the secgrp..
  Regards,
  Richard
  blog: http://blog.warp11.nl
  twitter: @rhjmartens
  If this question is answered, please mark the thread as closed and assign points where earned..

• My kids set a password on my lock screen.  is there any way i can bypass or disable the password.

  my kids set a password on my lock screen.  is there any way i can bypass or disable the password.

  Use the Settings app.
  Settings > General > Passcode Lock > Enter the Passcode > Turn Off Passcode

• HT4557 When I set my airplay onscreen code it disables the password and vice versa

  When trying to sync my Apple TV with my Mac...in trying to set the onscreen code the pass is nulled and when setting password the onscreen code is nulled.

  Hi,
  Normally if a Mac boots to a desktop screen with an option to enter a 4 or 6 digit code, then the machine has been locked by Find My Mac (an iCloud service).
  The only way to have this unlocked is either type in the 4 or 6 digit code that was set up on the iCloud webpage when locking the mac or take the machine to an Apple Store or authorized service provider to have them unlock the machine but they will need to verify that your account locked the machine etc.
  -Dib.

• Setting password for Autologon Default user in registry

  Hi friends
  I don't know is this the right forum to ask this question:
  me along with my colleges are doing some exercises to improve our learnings, so we have setup a test lab which has a test DC & 10 test client computers running windows 8.1 
  as we know, when computers join to domain, the item related to Autologon is removed from netplwiz.
  I know that to be able to use Autlogon feature in joined computers, we can restore the above item by creating the required items via any method like the following:
  $regpath="HKLM:\software\Microsoft\Windows NT \CurrentVersion\Winlogon "
  New-ItemProperty -path $regpath -Name AutoAdminLogon -PropertyType String -Value "1" -Force
  $regpath="HKLM:\software\Microsoft\Windows NT\CurrentVersion\Winlogon"
  New-ItemProperty -path $regpath -Name DefaultDomainName -PropertyType String -Value %USERDOMAIN% -Force
  $regpath="HKLM:\software\Microsoft\Windows NT \CurrentVersion\Winlogon "
  New-ItemProperty -path $regpath -Name DefaultUsername -PropertyType String -Value “administrator” -Force
  the above lines provide required info for Autologon, except the password of the user.because of this we have to sit at every test client & open up netplwiz & manually enter the password for default Autologon user.
  is it possible to define the password for this user as well in the registry?  so that we add it to above lines & save them as a PS script & run that PS script on our test systems so that we don't have to sit at each test client
  & manually set password for default user for Autologon.
  I mean I need when we power on our test clients, they automatically login via domain administrator credentials & be ready to use
  thanks

  The documentation for this might prove helpful:
  http://technet.microsoft.com/en-us/library/cc939702.aspx
  According to the above:
  If you disable automatic logon by setting the value of AutoAdminLogon to 0, delete the value of
  DefaultPassword, which is stored and displayed in the registry editor in plain, unencrypted text.
  (Hint: I found this very quickly by searching for "autoadminlogon" using a search engine.)
  -- Bill Stewart [Bill_Stewart]

• Windows 2008 Terminal Server "user must change password at next logon" problem with Windows 7 client.

  Hi,
  I have a fully patched Windows 2008 SP2 Terminal Server and a fully patched Windows 7 client.
  I have logged into the Windows 2008 SP2 Terminal Server server with a test account via RDC before.
  When I try to log in via RDC to the 2008 TS with a test account which has been marked with the setting "User must change password at next logon" I get the RDC message "You must change your password before logging on the first time.  For assistance, contact your system administrator or technical support."  I need to force the user to change their password once it has been issued, any ideas on how this can be done?
  Thanks,
  Dan

  This does not resolve my issue all the way. I'm having the same problem; When i'm "deploying" users, i always want the users to set their own passwords. Ok, so I then set the auth mode to "RDP Security layer". It seemed to work fine, and it does for that
  special purpose.
  Just like Daniel, my clients are connecting to our terminal server from several/different "customer-domains" So, they can't logon locally(on their local computer) and change their password, it has to be done THROUGH the terminal server.
  But if I turn on RDP Security Layer, users can't use remoteapp through tsgw they only get: "Your Remote Desktop Connection Failed because the remote computer cannot be authenticated" Any ideas?
  Also, our terminal servers is round robin based in a farm. So users connect to: tsfarm.domain.com(yes, public a-record which resolves to two internal adresses) This is because, we're using a wilcard *.domain.com as SSL certificate.
  But, when i'm using this, our clients sometimes get double auth when they login. I only get the double auth when tsfarm.domain.com resolves to server A, but the session broker wants the user to be on server B.(load balancing)
  This does not occur when SSL is enforced, any ideas?

• MDT First logon no administrator? Gpupdate?

  We got strange issue these days that when we deploy a machine, the deployment process stops after first logon. There is no error, it just stops.
  After some research we found out that the user isn't an administrator at first logon. It seems the gpo that makes sure this account is local admin is not working properly. So if we type gpupdate /force and restart the machine the deployment process will
  continue as if there has been no problem at all!
  Do I need to search for a "gpupdate /force" before first time logon? Feels like a dirty way..

  Thx for the reply!
  The image is indeed sysprepped before importing in MDT.
  When I look the unattend.xml file there is indeed this command:
              <RunSynchronous>
                  <RunSynchronousCommand wcm:action="add">
                      <Description>EnableAdmin</Description>
                      <Order>1</Order>
                      <Path>cmd /c net user Administrator /active:yes</Path>
  So this seems not to be the issue. Is there something else I can look at?
  edit (some more info): We are deploying Win8.1 machines, there should be no issue with the sysprep like Win7 machines had (sysprep rearm count). The autologon is working so the account is not "disabled", only issue is that the user account that is
  logging in is has no administrator privileges. After a gpupdate the user gets administrator privileges (because of a gpo setting). But it should not be that our GPO needs to give this user administrator privileges I guess (user account needs to have admin
  rights before logon first time).

• Open Dir, SMB, AFP, Changing Password on first login (Windows)

  Hey all...
  I've read up on some documentation but have run into a roadblock trying to set up file sharing for Open Directory user accounts with OS X Server 10.5.6.
  I have AFP and SMB (and Open dir) services enabled.
  Using all default settings I am able to share files using other Windows and OS X machines.
  Under the Open directory service settings in Server Admin, I tried to enforce that user passwords be reset on first log in.
  When I log in using OS X, I get prompted to change my password and it works fine. When I'm using Windows (XP in this case), the username/password prompt that windows presents outright rejects the initial password. So when forcing users to change passwords, Windows users can no longer log in to share files.
  I've attached the SMB log that correspond to the attempted log in from the Windows machine.
  [2009/01/28 18:12:49, 0, pid=1913] /SourceCache/samba/samba-187.7/samba/source/auth/authodsam.c:opendirectory_smb_pwd_checkntlmv1(383)
  opendirectoryuser_auth_and_sessionkey gave -14161 [eDSAuthNewPasswordRequired]
  [2009/01/28 18:12:49, 0, pid=1913] /SourceCache/samba/samba-187.7/samba/source/auth/authodsam.c:opendirectory_opendirectory_ntlm_passwordcheck(598)
  I'd appreciate any advice =)

  Hey all...
  I've read up on some documentation but have run into a roadblock trying to set up file sharing for Open Directory user accounts with OS X Server 10.5.6.
  I have AFP and SMB (and Open dir) services enabled.
  Using all default settings I am able to share files using other Windows and OS X machines.
  Under the Open directory service settings in Server Admin, I tried to enforce that user passwords be reset on first log in.
  When I log in using OS X, I get prompted to change my password and it works fine. When I'm using Windows (XP in this case), the username/password prompt that windows presents outright rejects the initial password. So when forcing users to change passwords, Windows users can no longer log in to share files.
  I've attached the SMB log that correspond to the attempted log in from the Windows machine.
  [2009/01/28 18:12:49, 0, pid=1913] /SourceCache/samba/samba-187.7/samba/source/auth/authodsam.c:opendirectory_smb_pwd_checkntlmv1(383)
  opendirectoryuser_auth_and_sessionkey gave -14161 [eDSAuthNewPasswordRequired]
  [2009/01/28 18:12:49, 0, pid=1913] /SourceCache/samba/samba-187.7/samba/source/auth/authodsam.c:opendirectory_opendirectory_ntlm_passwordcheck(598)
  I'd appreciate any advice =)

• Disable Initial Password Reset.

  Hello;
  Is it possible to set that the user do not change the initial password
  when created or even if the SAP Administrator reset it, the first time
  the user log on the system.
  Thanks;
  Ali Gumusoglu

  Hi Ali,
  Yes, it is possible; for that follow below steps:
  1.Start the Config Tool C:\usr\sap\<SID>\<engine-instance>\j2ee\configtool\configtool.bat
  Ex: D:\usr\sap\F02\JC00\j2ee\configtool --> configtool.bat
  2.Goto cluster-data --> Global server configuration --> services --> com.sap.security.core.ume.service
  3.Click on below property and set value is FALSE and click and "SET" button.
  "ume.logon.security_policy.password_change_required = FALSE"
  4.Save.
  5. Restart the engine.
  Now
  1. Login with an "Administrator"
  2. Create a user and define a password like "init123"
  3. logoff from "administrator"
  4. login with new user; password is "init123"
  now system will not ask to change password.
  Reward Points; if it is usefull.
  Thanks,
  Nagaraju Parlapalli