Grant rights to modify account options

Each user account has a number of account options that determine security and password settings for logon and authentication. Certain account options can be set only in Active Directory domains.

 Account Options { #account_options_descriptions}
Account option Description Availability
User must change password at next logon Forces a user to change the password the next time the user logs in. Active Directory / Microsoft Entra ID
Password never expires Prevents a user password from expiring. Active Directory / Microsoft Entra ID
Account is disabled Prevents a user from logging on with the account. Active Directory / Microsoft Entra ID
User cannot change password Prevents a user from changing their password. Active Directory only
Store passwords using reversible encryption Determines whether a user's password is stored using reversible encryption. Active Directory only
Smart card is required for interactive logon Requires that a user possess a smart card to log in interactively. Active Directory only
Account is trusted for delegation Allows a service running under the account to perform operations on behalf of other user accounts. Active Directory only
Account is sensitive and cannot be delegated This option can be used if an account cannot be assigned for delegation by another account. Active Directory only
Use DES encryption types for this account Allows restricting users to use only Data Encryption Standard (DES) encryption types for keys. Active Directory only
Do not require Kerberos pre-authentication Provides support for alternate implementations of the Kerberos protocol. Active Directory only

To modify account options, users must have the rights to modify the following properties of user accounts:

  • Account Options (userAccountControl)

  • Password Last Set (pwdLastSet)

  • User Cannot Change Password (adm-CanNotChangePassword)

The permissions to modify account options, like any other permissions in Adaxes, are granted with the help of security roles. In this tutorial, you will learn how to add the permissions to an existing security role.

Permissions granted by security roles are effective only within Adaxes.

  1. Launch Adaxes Administration console.

     How {id=collapse1}
    • On the computer where Adaxes Administration console is installed, open Windows Start menu.

    • Click Adaxes Administration Console.

  2. Expand Adaxes service \ Configuration \ Security Roles and select the security role you want to modify.

  3. In the Permissions section on the right, click Add.

  4. In the Add Permissions dialog, do the following:

    • In the list of object types on the left, select User.

    • In the Property-specific permissions section, select the Write Account Options permission in the Allow column.

  5. The Write Account Options permission grants the right to modify all account options, except the following:

    • User must change password at next logon

    • User cannot change password

    • Password never expires

    To grant the rights to modify Password never expires and User cannot change password, add the Write Password Last Set and Write User Cannot Change Password permissions accordingly.

    Click OK.

  6. Click Save changes.