@Override public void raiseEvent(Object event) { // Used in ActiveDirectory to put account into "enabled" state (aka userAccountControl=512, see http://support.microsoft.com/kb/305144/en ) after password update. If value is -1, it's ignored if (updateUserAccountAfterPasswordUpdate && event instanceof CredentialUpdatedEvent) { CredentialUpdatedEvent credEvent = ((CredentialUpdatedEvent) event); PartitionManager partitionManager = credEvent.getPartitionMananger(); IdentityContext identityCtx = (IdentityContext)partitionManager.createIdentityManager(); CredentialStore store = ((StoreSelector)partitionManager).getStoreForCredentialOperation(identityCtx, credEvent.getCredential().getClass()); if (store instanceof LDAPIdentityStore) { LDAPIdentityStore ldapStore = (LDAPIdentityStore)store; LDAPOperationManager operationManager = ldapStore.getOperationManager(); User picketlinkUser = (User) credEvent.getAccount(); String userDN = ldapStore.getBindingDN(picketlinkUser, true); ModificationItem[] mods = new ModificationItem[1]; BasicAttribute mod0 = new BasicAttribute("userAccountControl", "512"); mods[0] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, mod0); operationManager.modifyAttribute(userDN, mod0); logger.debug("Attribute userAccountControls switched to 512 after password update of user " + picketlinkUser.getLoginName()); } else { logger.debug("Store for credential updates is not LDAPIdentityStore. Ignored"); } } } }