AD User Object Properties

C

Chris W

What is the user object property that corresponds to password never
expires? I am trying to delegate user account management but do not want
the administrator to be able to set the passwords to never expire.
 
J

Jorge de Almeida Pinto

The "password never expires" option is represented by a BIT/FLAG in
the useraccountcontrol attribute. That same attribute also contains
other bits that represent other options like "account is disabled".
So to delegate the change of the option "password never expires" to a
group (recommended) or user, you need to delegate the change to the
useraccountcontrol attribute (read permission and write permission).
The catch here is that by doing this you also allow the change of the
other BITS/FLAGS and that may be not desired by you.
Cheers,
# Jorge de Almeida Pinto #
----------------------------------------------------------------------
-------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
 
J

Jorge de Almeida Pinto

The "password never expires" option is represented by a BIT/FLAG in
the useraccountcontrol attribute. That same attribute also contains
other bits that represent other options like "account is disabled".
So to delegate the change of the option "password never expires" to a
group (recommended) or user, you need to delegate the change to the
useraccountcontrol attribute (read permission and write permission).
The catch here is that by doing this you also allow the change of the
other BITS/FLAGS and that may be not desired by you
 
C

Chris W

Thanks for the reply. Yeah I only want to remove the "password never
expires" option. It seems odd that they would be grouped together. Most
all other attributes seem to be broken out separately.
 
J

Jorge de Almeida Pinto

It is just the way it is. For the useraccountcontrol attribute it is all
bits/flags or none...

If that same user is member of administrators or domain admins then removing
the permission will not do any good as members of the groups mentioned can
do ANYTHING they want!
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

AD User Attribute 2
User password expire 8
password expiration 2
User account expired locally not in Active Dir. 4
Password policy vs. "password never expires" 2
AD pasword policy and laptop 3
User cannot change password coming unchecked 2
Password Expiry Question 6

Top