Grant Rights to Modify Account Options


Each Active Directory user account has a number of account options that determine security and password settings for logon and authentication.


Account Option Description
User must change password at next logon Forces a user to change the password the next time the user logs in.
User cannot change password Prevents a user from changing their password.
Password never expires Prevents a user password from expiring.
Store passwords using reversible encryption Determines whether a user's password is stored using reversible encryption.
Account is disabled Prevents a user from logging on with the account.
Smart card is required for interactive logon Requires that a user possess a smart card to log in interactively.
Account is trusted for delegation Allows a service running under the account to perform operations on behalf of other user accounts.
Account is sensitive and cannot be delegated This option can be used if an account cannot be assigned for delegation by another account.
Use DES encryption types for this account Allows restricting users to use only Data Encryption Standard (DES) encryption types for keys.
Do not require Kerberos pre-authentication Provides support for alternate implementations of the Kerberos protocol.

To modify account options, users must have the rights to modify the following properties of AD user accounts:

  • Account Options (userAccountControl),
  • Password Last Set (pwdLastSet),
  • User Cannot Change Password (adm-CanNotChangePassword).

In this tutorial, you will learn how to add the permissions necessary to modify user account options to an existing Security Role.


  1. Launch Adaxes Administration Console.
    Expand Adaxes service \ Configuration \ Security Roles and select the Security Role you want to modify.


  2. In the Permissions section located to the right, click Add.

  3. In the Add Permissions dialog, do the following:

    • Select User in the list of object types on the left.
    • In the Property-specific permissions list, check the Write Account Options permission in the Allow column.

  4. The Write Account Options permission grants the right to modify all account options, except the following:

    • User must change password at next logon,
    • User cannot change password,
    • Password never expires.

    To grant the rights to modify the three account options, you also need to add the Write Password Last Set and Write User Cannot Change Password permissions.



    Click OK.

  5. Click Save changes.

Permissions granted by Security Roles are effective only within Adaxes.

Open tutorial filtering

Got questions?
Support Forum