Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

Set User Cannot change password when creating Active Directory Account

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on September 23 2019 at 14:38 UTC

Hello,

Does Saviynt AD connector support setting of the attribute - User cannot change password' when creating an AD account?

As far as I understand, this value cannot be set by modifying the UAC bits alone, hence wanted to check.

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.
4 REPLIES 4

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on September 24 2019 at 08:19 UTC

Hi Suparna,


Greetings!!


In order to set "User cannot change password" while creation of AD account, you need to make some core level changes in AD first. You have to basically add below ACEs (Access Control Entry) to DACL(Discretionary access control list) of user object

ADS_ACETYPE_ACCESS_DENIED_OBJECT if the user cannot change their password or ADS_ACETYPE_ACCESS_ALLOWED_OBJECT if the user can change their password.


Once these flags are exposed properly for user objects, you could set those flags to mark "User cannot change password". For more details, Please refer the links from microsoft below:

https://docs.microsoft.com/en-us/windows/win32/adsi/user-cannot-change-password


This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on September 24 2019 at 16:01 UTC

Hello Anand,


Is the change a one time change over the entire Active Directory or does this change need to happen each time an account is created?

Assuming this is already done on AD - how can this value be passed from the Saviynt AD connector in the create account JSON?

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on September 27 2019 at 10:20 UTC

I don't think you can do this with the AD connector, since those are not LDAP attributes that can be modified. See here https://docs.microsoft.com/en-us/windows/win32/adsi/modifying-user-cannot-change-password-ldap-provi... .

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on September 27 2019 at 10:36 UTC

Yes. At present Saviynt AD Connector doesn't support it.

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.