0 votes

We are getting the following error when running the Expired Passwords report.

Running the report as a full admin works. I believe the error has to do with permissions but not sure which ones are needed to view this report.

by (590 points)

1 Answer

0 votes
by (216k points)


The error occurs because the user who is trying to generate the report does not have sufficient permissions to view password policies applied in the domain(s) where the user runs the report. By default, the permission is granted by the built-in Domain User Security Role that grants the permission to view all objects. However, if you disabled or changed the Role, to remedy the issue, you need to create a Security Role that grants the permission to read the Max Password Age property of domains. To create such a Security Role:

  1. Create a new Security Role.
  2. On the 2nd step of the Create Security Role wizard, click Add.
  3. In the dialog box that appears, switch the radio button to Only selected object types.
  4. Check the Show all object types option.
  5. Select the Domain-DNS object type.
  6. In the Property-specific permissions section, check the Show all properties option.
  7. Check the Read 'Max Password Age' Property permission in the Allow column.
  8. On the 3rd step, you need to select the users or groups who need to run the report, and include the necessary domains in the Assignment Scope.
  9. Click Finish.

In Adaxes 2013.2 users will no longer need to be able to view Password Policies when generating such a report, and you will no longer need to grant such a permission.


Glad I asked because that was buried. Than you.



Yesterday, we released Adaxes 2013.2 that contains a fix for the issue. Now, users do not need to be granted the permission to read the Max Password Age property of domains to be able to run the Expired Passwords Report, and you can get rid of the workaround provided in the above post. You can download Adaxes 2013.2 here.

Upgrade Instructions.

For a complete list of new features and improvements, see What's New.

Related questions

0 votes
1 answer

We have some accounts that we would like to prevent from changing their password on login when it is expired. This is because we have saml setup on individual interface pages ... of a loophole for us as we require dual factor and use saml to accomplish this.

asked Oct 26, 2021 by mark.it.admin (2.3k points)
0 votes
1 answer

Hello, After migrating users from Exchange 2007 On premise to Exchange Online, we experience a problem viewing/managing full Access permissions for some of the mailboxes. ... permissions found on users that we can successfully manage through Adaxes. Any ideas?

asked Mar 18, 2015 by DFassett (710 points)
0 votes
1 answer

Is there a way to set this setting to show then end user multiple OUs?

asked May 4 by mightycabal (730 points)
0 votes
0 answers

As title indicates, searching or browsing a group doesnt show its members. However, when I choose a modify group function, for that same logged in user, the group members ... or explicit filters to viewing members that I can see. What could be causing this?

asked Nov 2, 2021 by manomano (80 points)
0 votes
1 answer

I'm not entirely sure if this is possible using a business rule but what I am trying to achieve is have the business rule perform actions when a user account has expired. Can this be acheived or would a scheduled task be the preferred method?

asked Sep 21, 2020 by Richard_NRL (90 points)
3,064 questions
2,777 answers
430,099 users