Change Password Function

Estimated reading: 1 minute 558 views

The Password Change function is performed as part of the Password Change end-user transaction in Password Manager. This is done in order to perform the actual change of the password (only if the user has passed the configured alternative authentication methods and only if the user holds the “Change Password” privilege.)

Required permissions:

The Password Change function requires read permissions granted to the Domain Account on a number of attributes which are all listed in the Discover Account table. No other privileges are required.

Attribute	Access	Description	Stored
pwdLastSet	Read	When the user last set the password.	Yes
userAccountControl	Read-Write	Used to determine whether a user has been disabled.	Yes
msDS-User-Account-Control-Computed	Read	Used to find out the LOCKOUT setting.	No
ntSecurityDescriptor	Read		No
logonHours	Read	Used to get user’s valid logon hours	Yes

Besides the listed attribute rights, the Password Change function also requires the privileges listed in the following table to be granted to the Domain Account on the Domain Policy object.

Attribute	Access	Stored
maxPwdAge	Read	No
minPwdAge	Read	No
minPwdLength	Read	No
lockoutDuration	Read	No
lockoutObservationWindow	Read	No
lockoutThreshold	Read	No
pwdProperties	Read	No
pwdHistoryLength	Read	No
objectClass	Read	No

Change Password Function

Required permissions:

Change Password Function

CONTENTS