This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

AD password expires sync to Workspace

Posted on 09-17-2021 08:21 AM
randallcorn
New Member
Reply posted on --/--/---- --:-- AM

We use AD to manage our Workspace accounts. We have the password sync installed so when user changes a password using our AD site it syncs it to Workspace.  Works great.

Now with our auditors we are setting our password to expire a certain amount of time.  Our site will email the users when the password is getting close to expiring and alert them to change it.  So if the user does NOT change the password then their AD password expires and they have to contact IT to reactivate it.  Works great except that the expiration of a password does not sync to Workspace so the user can still use all parts of Workspace even though the password in AD has expired.  Auditors are going to have a field day with this.  Is there any way to do this or is this a feature that can be added?

If I have posted this in the wrong locations then could you direct me to the correct place?

Thanks,

Randall

0 2 1,273
Topic Labels
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
EricD
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hello Randall,

We have the exact same issue, still diggign to find a solution.
I let you know if I found something.

0 Likes

Posted on --/--/---- --:-- AM
The_Ricker
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I know this is a two year old thread, and I hope you have found a solution, but if you have not, then the following may work.

I am making the following assumption: you have a scheduled task that runs periodically which checks when end user passwords are nearing their expiration date, and sends them an email when nearing that time. As a result you have a script that already checks that data point in AD. 

The above being the case I would look into using GAMADV-STD3 - https://github.com/taers232c/GAMADV-XTD3 - to:

A. Suspend the user account and expire all the session cookies - downside, all mail bounces after that point. Google does not have an account state, that I have found yet, that allows me as an admin to lock someone out while still allowing normal mail flow.  As a result, I would propose B, an approximation of what we end up using for user account management.

B. Reset the user's password to some randomized and long string of characters, and also reset their session cookies. this method cuts off access, while still allowing normal mail flow. When your user calls in, you can set them to reset their AD password on the next login while resetting their password. the Google password sync will run, and they will be able to access their email again. 

Installing gam on a central machine, and using scheduled tasks with a service account , that has access to the credentials file, was relatively straight forward to set up. 

0 Likes
Top Labels in this Space