Change Password Operation

Estimated reading: 1 minute 1036 views

The password change operation is performed as part of the Password Change end-user transaction in MyPass Cloud. This is done to perform the actual change of the password (only if the user has passed the configured alternative authentication methods and only if the user holds the “Change Password” privilege).

The Password Change function requires read permissions granted to the Domain Account on several attributes, which are all listed in the table below. No other privileges are required.

ATTRIBUTE ACCESS DESCRIPTION STORED
pwdLastSet
Read
When the user last set the password.
Yes
userAccountControl
Read-Write
Used to determine whether a user has been disabled.
Yes
msDS-User-Account-Control-Computed
Read
Used to find out the LOCKOUT setting.
No
ntSecurityDescriptor
Read
No
logonHours
Read
Used to get user’s valid logon hours
Yes

Besides the listed attribute rights, the password change operation also requires the privileges to check password policy and previous operations.

ATTRIBUTE ACCESS STORED
maxPwdAge
Read
No
minPwdAge
Read
No
minPwdLength
Read
No
lockoutDuration
Read
No
lockoutObservationWindow
Read
No
lockoutThreshold
Read
No
pwdProperties
Read
No
pwdHistoryLength
Read
No
objectClass
Read
No