Change Password Operation
The password change operation is performed as part of the Password Change end-user transaction in MyPass Cloud. This is done to perform the actual change of the password (only if the user has passed the configured alternative authentication methods and only if the user holds the “Change Password” privilege).
The Password Change function requires read permissions granted to the Domain Account on several attributes, which are all listed in the table below. No other privileges are required.
| ATTRIBUTE | ACCESS | DESCRIPTION | STORED |
|---|---|---|---|
|
pwdLastSet
|
Read
|
When the user last set the password.
|
Yes
|
|
userAccountControl
|
Read-Write
|
Used to determine whether a user has been disabled.
|
Yes
|
|
msDS-User-Account-Control-Computed
|
Read
|
Used to find out the LOCKOUT setting.
|
No
|
|
ntSecurityDescriptor
|
Read
|
|
No
|
|
logonHours
|
Read
|
Used to get user’s valid logon hours
|
Yes
|
Besides the listed attribute rights, the password change operation also requires the privileges to check password policy and previous operations.
| ATTRIBUTE | ACCESS | STORED |
|---|---|---|
|
maxPwdAge
|
Read
|
No
|
|
minPwdAge
|
Read
|
No
|
|
minPwdLength
|
Read
|
No
|
|
lockoutDuration
|
Read
|
No
|
|
lockoutObservationWindow
|
Read
|
No
|
|
lockoutThreshold
|
Read
|
No
|
|
pwdProperties
|
Read
|
No
|
|
pwdHistoryLength
|
Read
|
No
|
|
objectClass
|
Read
|
No
|