Set default account options for new users

Adaxes allows you to specify which account options are set by default when creating user accounts. The default account options determine which checkboxes are selected by default in the Account Options section on the user creation form. If a user account is created via a script or during data import, and the Account Options (userAccountControl) property is not set, the default account options are applied.

To prevent users from changing the default account options, you can customize the form used for creating user accounts. For details, see Customize forms for user creation and editing.

To set default account options, you need to use property patterns. Adaxes provides a built-in User property pattern that is applied to all user accounts by default. In this tutorial, you will learn how to use this property pattern to assign a default value for the Account Options property.

  1. Launch Adaxes Administration console.

     How { #collapse1}
    • On the computer where Adaxes Administration console is installed, open Windows Start menu.

    • Click Adaxes Administration Console.

  2. Expand Adaxes service \ Configuration \ Property Patterns \ Builtin and select User.

  3. In the section located to the right, click Add and then click Account Options in the drop-down list.

  4. Specify the default values for account options and click OK.

    Some account options can be set only in Active Directory domains. If a user is created in a Microsoft Entra domain, these options will be ignored.

     Account Options availability { #account_options_descriptions}
    Account option Description Availability
    User must change password at next logon Forces a user to change the password the next time the user logs in. Active Directory / Microsoft Entra ID
    Password never expires Prevents a user password from expiring. Active Directory / Microsoft Entra ID
    Account is disabled Prevents a user from logging on with the account. Active Directory / Microsoft Entra ID
    User cannot change password Prevents a user from changing their password. Active Directory only
    Store passwords using reversible encryption Determines whether a user's password is stored using reversible encryption. Active Directory only
    Smart card is required for interactive logon Requires that a user possess a smart card to log in interactively. Active Directory only
    Account is trusted for delegation Allows a service running under the account to perform operations on behalf of other user accounts. Active Directory only
    Account is sensitive and cannot be delegated This option can be used if an account cannot be assigned for delegation by another account. Active Directory only
    Use DES encryption types for this account Allows restricting users to use only Data Encryption Standard (DES) encryption types for keys. Active Directory only
    Do not require Kerberos pre-authentication Provides support for alternate implementations of the Kerberos protocol. Active Directory only
  5. Click Save changes.

Any changes made to built-in property patterns can be discarded. To do it, right-click a property pattern and click Restore to Initial State in the context menu.

Different patterns for different users

By default, property pattern User is applied to scope All Objects.

This means that the default values for Account Options will be the same for all users in all domains managed by Adaxes. If you want to apply different settings for different organizational units or domains, you need to create a separate property pattern for each OU or domain.

 How to create a property pattern { #howto_multiple_pattern}
  • Right-click Property Patterns, point to New and click Property Pattern.

  • Enter a name for the new property pattern and click Next.

  • On the Object Type page, select User.

    Click Next.

  • On the Configuration page, configure options for a property and click Next.

  • On the Activity Scope step, click Add.

    Select from the following items:

    • Domain – select to apply the property pattern to all users in a specific domain.

    • OU or Container – select to apply the property pattern to users in an organizational unit or container.

    • Group – select to apply the property pattern to members of a group.

      Assignments over group members are not applied during user creation.

    • Business unit – select to apply the property pattern to members of a business unit. To select a business unit, open the Look in drop-down list and select the Business Units item.

    You can exclude specific organizational units, business units, groups, and domains from the activity scope of the property pattern. For example, if you assigned the property pattern over the whole domain, but do not want it to apply to a specific organizational unit, you can exclude the organizational unit from the activity scope. To exclude an object, select the Exclude the selection option in the Assignment Options dialog box.

     Step by step { #exclude_scope}
    • Click the object you want to exclude.

    • In the Assignment Options dialog, select the Exclude the selection option.

    • Click OK.

  • When done, click Finish.