none
Setting "User Cannot change password" when all Extended rights are denied.

    Question

  • I created an user in Windows 2008 server. In the security tab, i deny all Extended rights for SELF and EVERYONE. Even it includes "Change Password", "User Cannot change password" in Accounts tab is not checked. But i am unable to change password with that user. 

    When i check it manually and uncheck it, there is no change. It is being denied no matter i check or un-check the value of "User cannot change password" in account tab.


    - Santron Manibharathi.

    Monday, January 07, 2013 1:41 PM

Answers

  • In ADUC when you check "User cannot change password", two ACE's (Access Control Entries) are added to the DACL (Discretionay Access Control List) for the user that deny permission to change the password. One ACE denies permission for the user, the other denies permission for the group Everyone. When you uncheck this, the two deny ACE's are removed.

    When you deny all extended rights, this also denies permission to change the password. Either way, the user cannot change their own password. I can confirm that when you deny all extended rights, the check box for "User cannot change password" is not checked. This is just how ADUC works. I think it is because a different GUID is used in the ACE's. See this article for some details:

    http://msdn.microsoft.com/en-us/library/windows/desktop/aa746398(v=vs.85).aspx

    The GUID for "User cannot change password" is "{AB721A53-1E2F-11D0-9819-00AA0040529B}", and ADUC must look for this on the Account tab for the check box. The GUID (or GUID's) for "deny all extended rights" would be different.


    Richard Mueller - MVP Directory Services

    Monday, January 07, 2013 3:33 PM

All replies

  • In ADUC when you check "User cannot change password", two ACE's (Access Control Entries) are added to the DACL (Discretionay Access Control List) for the user that deny permission to change the password. One ACE denies permission for the user, the other denies permission for the group Everyone. When you uncheck this, the two deny ACE's are removed.

    When you deny all extended rights, this also denies permission to change the password. Either way, the user cannot change their own password. I can confirm that when you deny all extended rights, the check box for "User cannot change password" is not checked. This is just how ADUC works. I think it is because a different GUID is used in the ACE's. See this article for some details:

    http://msdn.microsoft.com/en-us/library/windows/desktop/aa746398(v=vs.85).aspx

    The GUID for "User cannot change password" is "{AB721A53-1E2F-11D0-9819-00AA0040529B}", and ADUC must look for this on the Account tab for the check box. The GUID (or GUID's) for "deny all extended rights" would be different.


    Richard Mueller - MVP Directory Services

    Monday, January 07, 2013 3:33 PM
  • Hi,

    You have denied all extended rights, this also denies permission to change the password.  Try removing that option for password change to allowed.



    Please help and appreciate others by using these features: "Propose As Answer", "Vote As Helpful" and "Mark As Answer"

    Waqas

    MS(SPM), MS(E&F), MCP, MCT, MCTS, MCITP, MCSE, MCPD, MCSD, MCDBA , Author
    Twitter: @waqas8777
    Linked In: http://www.linkedin.com/in/waqasm1

    Monday, January 07, 2013 4:27 PM