AD User Object Properties

  • Thread starter Thread starter Chris W
  • Start date Start date
C

Chris W

What is the user object property that corresponds to password never
expires? I am trying to delegate user account management but do not want
the administrator to be able to set the passwords to never expire.
 
The "password never expires" option is represented by a BIT/FLAG in
the useraccountcontrol attribute. That same attribute also contains
other bits that represent other options like "account is disabled".
So to delegate the change of the option "password never expires" to a
group (recommended) or user, you need to delegate the change to the
useraccountcontrol attribute (read permission and write permission).
The catch here is that by doing this you also allow the change of the
other BITS/FLAGS and that may be not desired by you.
Cheers,
# Jorge de Almeida Pinto #
----------------------------------------------------------------------
-------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
 
The "password never expires" option is represented by a BIT/FLAG in
the useraccountcontrol attribute. That same attribute also contains
other bits that represent other options like "account is disabled".
So to delegate the change of the option "password never expires" to a
group (recommended) or user, you need to delegate the change to the
useraccountcontrol attribute (read permission and write permission).
The catch here is that by doing this you also allow the change of the
other BITS/FLAGS and that may be not desired by you
 
Thanks for the reply. Yeah I only want to remove the "password never
expires" option. It seems odd that they would be grouped together. Most
all other attributes seem to be broken out separately.
 
It is just the way it is. For the useraccountcontrol attribute it is all
bits/flags or none...

If that same user is member of administrators or domain admins then removing
the permission will not do any good as members of the groups mentioned can
do ANYTHING they want!
 
Back
Top