Setting "User Cannot change password" when all Extended rights are denied.
i created user in windows 2008 server. in security tab, deny all extended rights self , everyone. includes "change password", "user cannot change password" in accounts tab not checked. unable change password user.
when check manually , uncheck it, there no change. being denied no matter check or un-check value of "user cannot change password" in account tab.
- santron manibharathi.
in aduc when check "user cannot change password", 2 ace's (access control entries) added dacl (discretionay access control list) user deny permission change password. 1 ace denies permission user, other denies permission group everyone. when uncheck this, 2 deny ace's removed.
when deny extended rights, denies permission change password. either way, user cannot change own password. can confirm when deny extended rights, check box "user cannot change password" not checked. how aduc works. think because different guid used in ace's. see article details:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa746398(v=vs.85).aspx
the guid "user cannot change password" "{ab721a53-1e2f-11d0-9819-00aa0040529b}", , aduc must on account tab check box. guid (or guid's) for "deny extended rights" different.
richard mueller - mvp directory services
Windows Server > Windows Server General Forum
Comments
Post a Comment