Change Password Function

Author: [email protected] 110 views

The Password Change function is performed as part of the Password Change end-user transaction in Password Manager. This is done in order to perform the actual change of the password (only if the user has passed the configured alternative authentication methods and only if the user holds the “Change Password” privilege.)

Required permissions:

The Password Change function requires read permissions granted to the Domain Account on a number of attributes which are all listed in the Discover Account table. No other privileges are required.

Attribute Access Description Stored
pwdLastSet
Read
When the user last set the password.
Yes
userAccountControl
Read-Write
Used to determine whether a user has been disabled.
Yes
msDS-User-Account-Control-Computed
Read
Used to find out the LOCKOUT setting.
No
ntSecurityDescriptor
Read
No
logonHours
Read
Used to get user’s valid logon hours
Yes

Besides the listed attribute rights, the Password Change function also requires the privileges listed in the following table to be granted to the Domain Account on the Domain Policy object.

Attribute Access Stored
maxPwdAge
Read
No
minPwdAge
Read
No
minPwdLength
Read
No
lockoutDuration
Read
No
lockoutObservationWindow
Read
No
lockoutThreshold
Read
No
pwdProperties
Read
No
pwdHistoryLength
Read
No
objectClass
Read
No