Each Active Directory user account has a number of account options that determine security and password settings for logon and authentication.
Account Option | Description |
---|---|
User must change password at next logon | Forces a user to change the password the next time the user logs in. |
User cannot change password | Prevents a user from changing their password. |
Password never expires | Prevents a user password from expiring. |
Store passwords using reversible encryption | Determines whether a user's password is stored using reversible encryption. |
Account is disabled | Prevents a user from logging on with the account. |
Smart card is required for interactive logon | Requires that a user possess a smart card to log in interactively. |
Account is trusted for delegation | Allows a service running under the account to perform operations on behalf of other user accounts. |
Account is sensitive and cannot be delegated | This option can be used if an account cannot be assigned for delegation by another account. |
Use DES encryption types for this account | Allows restricting users to use only Data Encryption Standard (DES) encryption types for keys. |
Do not require Kerberos pre-authentication | Provides support for alternate implementations of the Kerberos protocol. |
To modify account options, users must have the rights to modify the following properties of AD user accounts:
In this tutorial, you will learn how to add the permissions necessary to modify user account options to an existing Security Role.
Launch Adaxes Administration Console.
Expand Adaxes service \ Configuration \ Security Roles and select the Security Role you want to modify.
In the Permissions section located to the right, click Add.
In the Add Permissions dialog, do the following:
In the Property-specific permissions list, check the Write Account Options permission in the Allow column.
The Write Account Options permission grants the right to modify all account options, except the following:
To grant the rights to modify the three account options, you also need to add the Write Password Last Set and Write User Cannot Change Password permissions.
Click OK.
Click Save changes.