Grant rights to modify account options
Each user account has a number of account options that determine security and password settings for logon and authentication. Certain account options can be set only in Active Directory domains.
Account options { #account_options_descriptions}
| Account option | Description | Availability |
|---|---|---|
| User must change password at next logon | Forces a user to change the password the next time the user logs in. | Active Directory / Microsoft Entra ID |
| Password never expires | Prevents a user password from expiring. | Active Directory / Microsoft Entra ID |
| Account is disabled | Prevents a user from logging on with the account. | Active Directory / Microsoft Entra ID |
| User cannot change password | Prevents a user from changing their password. | Active Directory only |
| Store passwords using reversible encryption | Determines whether a user's password is stored using reversible encryption. | Active Directory only |
| Smart card is required for interactive logon | Requires that a user possess a smart card to log in interactively. | Active Directory only |
| Account is trusted for delegation | Allows a service running under the account to perform operations on behalf of other user accounts. | Active Directory only |
| Account is sensitive and cannot be delegated | This option can be used if an account cannot be assigned for delegation by another account. | Active Directory only |
| Use DES encryption types for this account | Allows restricting users to use only Data Encryption Standard (DES) encryption types for keys. | Active Directory only |
| Do not require Kerberos pre-authentication | Provides support for alternate implementations of the Kerberos protocol. | Active Directory only |
To modify account options, users must have the rights to modify the following properties of user accounts:
-
Account options (userAccountControl)
-
Password last set (pwdLastSet)
-
User cannot change password (adm-CanNotChangePassword)
The permissions to modify account options, like any other permissions in Adaxes, are granted with the help of security roles. In this tutorial, you will learn how to add the permissions to an existing security role.
Permissions granted by security roles are effective only within Adaxes.
-
Launch Adaxes administration console.
How
-
On the computer where Adaxes administration console is installed, open Windows Start menu.
-
Click Adaxes Administration Console.
-
-
Expand Adaxes service \ Configuration \ Security Roles and select the security role you want to modify.
-
In the Permissions section on the right, click Add.
-
In the Add Permissions dialog, do the following:
-
In the list of object types on the left, select User.
-
In the Property-specific permissions section, select the Write Account Options permission in the Allow column.
-
-
The Write Account Options permission grants the right to modify all account options, except the following:
-
User must change password at next logon
-
User cannot change password
-
Password never expires
To grant the rights to modify Password never expires and User cannot change password, add the Write Password last set and Write User cannot change password permissions accordingly.
Click OK.
-
-
Click Save changes.