You may have noticed that currently the ‘Users - Undo Deprovision‘ Access Template automatically grants password reset permissions (‘User must change password at next logon’, ‘User can not change password’ and ‘Password never expires’).
This is by design. An enhancement request (TF00414390) has been created detailing the feature (Allow Delegated admins to enable/disable Password Never Expires option when performing Undo-deprovision).
The workaround below will require that your deprovisioned objects are contained within a specific OU, as you want to limit the permissions to those objects only.
1) Copy the “user-Undo Deprovision” and include a Deny “Write All Properties”;
2) Apply it to the container that holds your deprovisioned objects.
The undo-deprovision can now be performed, but the password reset permissions (‘User must change password at next logon’, ‘User can not change password’ and ‘Password never expires’) are no longer available.
Configure a Change Workflow which is triggered by writing a value to edsaPasswordNeverExpires
This Workflow can be limited in scope using the Initiator Conditions within the Workflow Options and Start Conditions.
The Workflow performs a Stop/Break operation prior to the primary operation execution. This Workflow now acts as an interrupt - although the option to change "Password never expires" is still present, it cannot be applied.
The product team will evaluate the request and this feature may become available on a future release of the product.