Policy Server Guides › Policy Design Guide › Password Policies › Enhanced Active Directory Integration with Password Services › User Account Management with Active Directory Integration

User Account Management with Active Directory Integration

When enhanced Active Directory integration is enabled, the Policy Server manages Active Directory user accounts as follows:

• The Policy Server disables the accounts of users who are locked out or disabled by the Windows Network Operating System (NOS) and lists disabled accounts as "Disabled - administrative" in the Current Settings group box on the User Management Dialog in the Policy Server User Interface.
• You can unlock these disabled accounts in Windows by enabling them in the Current Settings group box on the User Management Dialog in the Policy Server User Interface.
• User accounts that expire from inactivity enter a native disabled state in the Policy Server that can only be changed by the Windows domain controller.
• The accounts of users whose passwords have expired enter a password-must-change-at-next-login state in the Policy Server.
• You can clear the password-must-change-at-next-login state for users in the Password group box on the User Management Dialog in the Policy Server User Interface, or users can change their own passwords. In both cases, the Windows NOS does not prompt the user for a password change at the next login.
• When the Windows NOS enables the Account Policies/Password Policy defined in the Default Domain Policy, the accounts of users whose passwords have expired enter a password-must-change-at-next-login state in the Policy Server.

Note: For more information about managing user accounts, see the Policy Server Management Guide.