Policy Server Guides › Policy Design Guide › Password Policies › Enhanced Active Directory Integration with Password Services › Password Services with Active Directory Integration

Password Services with Active Directory Integration

When enhanced Active Directory integration is enabled, the Policy Server manages Password Services as follows:

• Users who are locked out or disabled by the Windows Network Operating System (NOS) or whose accounts are expired in the Windows NOS are redirected by the Policy Server to the "User Is Disabled" page at login.
• Users who must change their passwords at the next login or whose passwords are expired by the Account Policies/Password Policy defined in the Default Domain Policy of the Windows NOS are redirected by the Policy Server to the password-change page after a successful login.
• User account activities, such as login successes and failures, password changes, and user enabling and disabling, in the Windows domain are recognized by Password Services and used by the Policy Server to evaluate Password Services policies.
• User account activities cause the Policy Server to update user attributes in the Active Directory user store. The Windows domain, in turn, recognizes these attribute changes.
• If the Password Services policies configured in the Policy Server determine that the user must change the password, both Windows NOS and the Policy Server prompt the user for a password change at the next login.
• If the Password Services policies configured in the Policy Server determine that the user must be disabled, the Policy Server redirects the user to the "User Is Disabled" page at the next login.