Click HERE to see how Saviynt Intelligence is transforming the industry. |
04/12/2022 12:53 PM
Hello,
Does Saviynt AD connector support setting of the attribute - User cannot change password' when creating an AD account?
As far as I understand, this value cannot be set by modifying the UAC bits alone, hence wanted to check.
Solved! Go to Solution.
04/12/2022 01:45 PM
Hi Suparna,
Greetings!!
In order to set "User cannot change password" while creation of AD account, you need to make some core level changes in AD first. You have to basically add below ACEs (Access Control Entry) to DACL(Discretionary access control list) of user object
ADS_ACETYPE_ACCESS_DENIED_OBJECT if the user cannot change their password or ADS_ACETYPE_ACCESS_ALLOWED_OBJECT if the user can change their password.
Once these flags are exposed properly for user objects, you could set those flags to mark "User cannot change password". For more details, Please refer the links from microsoft below:
https://docs.microsoft.com/en-us/windows/win32/adsi/user-cannot-change-password
04/12/2022 01:45 PM
Hello Anand,
Is the change a one time change over the entire Active Directory or does this change need to happen each time an account is created?
Assuming this is already done on AD - how can this value be passed from the Saviynt AD connector in the create account JSON?
04/12/2022 01:45 PM
I don't think you can do this with the AD connector, since those are not LDAP attributes that can be modified. See here https://docs.microsoft.com/en-us/windows/win32/adsi/modifying-user-cannot-change-password-ldap-provi... .
04/12/2022 01:45 PM
Yes. At present Saviynt AD Connector doesn't support it.