User must change password at next logon checked at the backend

  • 91 Views
  • Last Post 03 February 2017
Mano posted this 02 February 2017

Hi Experts,
I have a requirement to gray out of "User must change password at next logon" when service desk team create new user and this option must be checked at the backend. In this case, this option continue to be grayed out when they try to reset users password. Can this be possible to service desk people? or can this be possible only to domain / forest wide?
My requirement is to have this enabled only to service desk people via group membership instead of individual user. 
Thank you,Sam

Order By: Standard | Newest | Votes
daemonr00t posted this 02 February 2017

You'll want to thinker with the userAccountControl and password related permissions.


Cheers







~dannyCS


Sent from my mobile







show

daemonr00t posted this 02 February 2017

Now that attribute controls all security aspects of the account (enabled/disabled/password not required/password must be changed...) it's a bit set, interesting attribute indeed.


Now you either control it or not. The option you mention is not a separate one.


Sorry... a bit early here, still half my brain is sleeping.







~dannyCS


Sent from my mobile







show

cduers posted this 02 February 2017

It's the "write account restrictions" attribute

Christopher Duers
XL Catlin, Identity and Security
203-979-3914
chris.duers@xxxxxxxxxxxxxxxx

On Feb 2, 2017, at 7:37 AM, Danny CS <>> wrote:


You'll want to thinker with the userAccountControl and password related permissions.
Cheers

~dannyCS
Sent from my mobile

show

cduers posted this 02 February 2017

Sorry gang I meant it's the write account restrictions right, not attribute

Christopher Duers
XL Catlin, Identity and Security
203-979-3914
chris.duers@xxxxxxxxxxxxxxxx

On Feb 2, 2017, at 7:38 AM, Danny CS <>> wrote:


Now that attribute controls all security aspects of the account (enabled/disabled/password not required/password must be changed...) it's a bit set, interesting attribute indeed.
Now you either control it or not. The option you mention is not a separate one.
Sorry... a bit early here, still half my brain is sleeping.

~dannyCS
Sent from my mobile

show

bdesmond posted this 02 February 2017

There isn’t a way to do this without some sort of proxy based delegation tool in the middle.

 

pwdLastSet is the attribute behind that checkbox. When you check the checkbox, it sets it to 0. Otherwise, it gets set to the time the new password is set.

You need to be able to set that attribute, but, you can’t use native AD delegation to control what values are set.



 

Thanks,

Brian Desmond

 

w – 312.625.1438 | c – 312.731.3132

 

show

Mano posted this 02 February 2017

Hi all,
Thank you very much for your valuable input!
I think, I can not my achieve my requirement. If the PwdLastSet is set to 0 to globally then every time any user login it must prompt to reset. I must set this option to any user which will be created by Service Desk team or who password will be reset by service desk team.
I am currently understanding about dssec.dat file which may or may not be related to this subject at https://support.microsoft.com/en-us/help/296999/minimum-permissions-are-needed-for-a-delegated-administrator-to-force-password-change-at-next-logon-procedure
Best Regards,Sam


show

cduers posted this 02 February 2017

That's strange because I just saw a scenario yesterday where a group of support people have the ability to reset passwords but not the ability to check or uncheck that box. I granted them write account restrictions on user objects of the OU level. I have to double check today and see if that resolved the issue.

Christopher Duers
XL Catlin, Identity and Security
203-979-3914
chris.duers@xxxxxxxxxxxxxxxx

On Feb 2, 2017, at 10:37 AM, Mano <>> wrote:

Hi all,

Thank you very much for your valuable input!

I think, I can not my achieve my requirement. If the PwdLastSet is set to 0 to globally then every time any user login it must prompt to reset. I must set this option to any user which will be created by Service Desk team or who password will be reset by service desk team.

I am currently understanding about dssec.dat file which may or may not be related to this subject at https://support.microsoft.com/en-us/help/296999/minimum-permissions-are-needed-for-a-delegated-administrator-to-force-password-change-at-next-logon-procedure

Best Regards,
Sam

show

bdesmond posted this 02 February 2017

The dssec.dat file just controls what attributes show up in the ACL Editor in ADUC and ADSI Edit.



 

Thanks,

Brian Desmond

 

w – 312.625.1438 | c – 312.731.3132

 

show

Mano posted this 03 February 2017

Hi Chris,
I will wait for your direction on how to make this change if possible.
Regards,Sam


show

cduers posted this 03 February 2017

Hi – I don’t know if a screenshot will go through but basically what I did was at the OU level, where we have most of our active accounts, I set the ACL below

(WriteAccountRestrictions), for the group that does end user support – they already had reset password and unlock account via the “canned” delegations

 

I got confirmation yesterday that this worked for them:

 



 

Christopher Duers

XL Catlin,

Identity and Security

203-979-3914

chris.duers@xxxxxxxxxxxxxxxx

 



 

 

show

Close