Forcing Password Change on First Login

This is very basic functionality that we want to implement. When a new user logs in for the first time, he/she needs to be forced to change the password. I'm wondering if anyone has implemented this functionality.

One way of doing this would be to trigger a method whenever a user logs in, and if the last login date is null, it sets it to something past the refresh time limit. However, I am not aware of a trigger that can be invoked when a user logs in. The trigger will have to be invoked before the login is complete. 

Kamran Aftab

Nidec Motor Corporation

  • Kamran,

    The easiest way would, I believe, be to set the pwd_is_set_on property of the user to be something older than the maximum password age. This could either be done manually by the admin who creates the user in the system (though the pwd_is_set_on property would need a corresponding field in the user form) or by setting the default value for the user itemtype to something like "2000-01-01T00:00:00" so that every new user will need to change their password upon login.

    Once they do change their password, pwd_is_set_on will update to the current date, and they'll be able to log in freely until the natural expiration of that password. This approach has the advantage of not needing any custom code or method, just configuration.

    If you don't already use maximum password age, it's set by Identity, and either the identity of the individual user or the group identity they belong to will work just fine. I'd recommend using this anyway, as it's good security practice.

    Skyler C.

  • Thanks Skyler. This approach should work.