diff --git a/lib/puppet/provider/user/hpux.rb b/lib/puppet/provider/user/hpux.rb
index c38879a1c..f2550fff4 100644
--- a/lib/puppet/provider/user/hpux.rb
+++ b/lib/puppet/provider/user/hpux.rb
@@ -1,66 +1,95 @@
 Puppet::Type.type(:user).provide :hpuxuseradd, :parent => :useradd do
   desc "User management for HP-UX. This provider uses the undocumented `-F`
     switch to HP-UX's special `usermod` binary to work around the fact that
-    its standard `usermod` cannot make changes while the user is logged in."
+    its standard `usermod` cannot make changes while the user is logged in.
+    New functionality provides for changing trusted computing passwords and
+    resetting password expirations under trusted computing"
 
   defaultfor :operatingsystem => "hp-ux"
   confine :operatingsystem => "hp-ux"
 
   commands :modify => "/usr/sam/lbin/usermod.sam", :delete => "/usr/sam/lbin/userdel.sam", :add => "/usr/sam/lbin/useradd.sam"
   options :comment, :method => :gecos
   options :groups, :flag => "-G"
   options :home, :flag => "-d", :method => :dir
 
   verify :gid, "GID must be an integer" do |value|
     value.is_a? Integer
   end
 
   verify :groups, "Groups must be comma-separated" do |value|
     value !~ /\s/
   end
 
   has_features :manages_homedir, :allows_duplicates, :manages_passwords
 
   def deletecmd
     super.insert(1,"-F")
   end
 
   def modifycmd(param,value)
-    super.insert(1,"-F")
+     cmd = super(param, value)
+     cmd << "-F"
+     if trusted then
+       # Append an additional command to reset the password age to 0
+       # until a workaround with expiry module can be found for trusted
+       # computing.
+       cmd << ";"
+       cmd << "/usr/lbin/modprpw"
+       cmd << "-v"
+       cmd << "-l"
+       cmd << "#{resource.name}"
+     end
+     cmd
   end
 
   def password
     # Password management routine for trusted and non-trusted systems
     #temp=""
     while ent = Etc.getpwent() do
       if ent.name == resource.name
         temp=ent.name
         break
       end
     end
     Etc.endpwent()
     if !temp
       return nil
     end
 
     ent = Etc.getpwnam(resource.name)
     if ent.passwd == "*"
       # Either no password or trusted password, check trusted
       file_name="/tcb/files/auth/#{resource.name.chars.first}/#{resource.name}"
       if File.file?(file_name)
         # Found the tcb user for the specific user, now get passwd
         File.open(file_name).each do |line|
           if ( line =~ /u_pwd/ )
             temp_passwd=line.split(":")[1].split("=")[1]
             ent.passwd = temp_passwd
             return ent.passwd
           end
         end
       else
         debug "No trusted computing user file #{file_name} found."
       end
     else
       return ent.passwd
     end
   end
+
+  def trusted
+    # Check to see if the HP-UX box is running in trusted compute mode
+    # UID for root should always be 0
+    trusted_sys = exec_getprpw('root','-m uid')
+    if trusted_sys.chomp == "uid=0"
+      return true
+    else
+      return false
+    end
+  end
+
+  def exec_getprpw(user,opts)
+    Puppet::Util::Execution.execute("/usr/lbin/getprpw #{opts} #{user}", { :combine => true })
+  end
 end
diff --git a/spec/unit/provider/user/hpux_spec.rb b/spec/unit/provider/user/hpux_spec.rb
index 249ce5b48..b9e9275d6 100755
--- a/spec/unit/provider/user/hpux_spec.rb
+++ b/spec/unit/provider/user/hpux_spec.rb
@@ -1,52 +1,73 @@
 #!/usr/bin/env ruby
 require 'spec_helper'
 require 'etc'
 
 provider_class = Puppet::Type.type(:user).provider(:hpuxuseradd)
 
 describe provider_class, :unless => Puppet.features.microsoft_windows? do
   let :resource do
     Puppet::Type.type(:user).new(
       :title => 'testuser',
       :comment => 'Test J. User',
       :provider => :hpuxuseradd
     )
   end
   let(:provider) { resource.provider }
 
   it "should add -F when modifying a user" do
     resource.stubs(:allowdupe?).returns true
     provider.expects(:execute).with { |args| args.include?("-F") }
     provider.uid = 1000
   end
 
   it "should add -F when deleting a user" do
     provider.stubs(:exists?).returns(true)
     provider.expects(:execute).with { |args| args.include?("-F") }
     provider.delete
   end
 
   context "managing passwords" do
     let :pwent do
       Struct::Passwd.new("testuser", "foopassword")
     end
 
     before :each do
       Etc.stubs(:getpwent).returns(pwent)
       Etc.stubs(:getpwnam).returns(pwent)
+      resource.stubs(:command).with(:modify).returns '/usr/sam/lbin/usermod.sam'
     end
 
     it "should have feature manages_passwords" do
       provider_class.should be_manages_passwords
     end
 
     it "should return nil if user does not exist" do
       Etc.stubs(:getpwent).returns(nil)
       provider.password.must be_nil
     end
 
     it "should return password entry if exists" do
       provider.password.must == "foopassword"
     end
   end
+
+  context "check for trusted computing" do
+    before :each do
+      provider.stubs(:command).with(:modify).returns '/usr/sam/lbin/usermod.sam'
+    end
+
+    it "should add modprpw to modifycmd if Trusted System" do
+      resource.stubs(:allowdupe?).returns true
+      provider.expects(:exec_getprpw).with('root','-m uid').returns('uid=0')
+      provider.expects(:execute).with(['/usr/sam/lbin/usermod.sam', '-u', 1000, '-o', 'testuser', '-F', ';', '/usr/lbin/modprpw', '-v', '-l', 'testuser'])
+      provider.uid = 1000
+    end
+
+    it "should not add modprpw if not Trusted System" do
+      resource.stubs(:allowdupe?).returns true
+      provider.expects(:exec_getprpw).with('root','-m uid').returns('System is not trusted')
+      provider.expects(:execute).with(['/usr/sam/lbin/usermod.sam', '-u', 1000, '-o', 'testuser', '-F'])
+      provider.uid = 1000
+    end
+  end
 end