none
Enable UserAccountControl but disable Password Never Expires?

    Question

  • We're under a rather heavy SOX audit which requires all our accounts to have password expiration.  So we're looking for a way to disable toggling this feature for all but highest level domain admins so they can create service accounts.  We already have lower level admins we delegated various account functions to.  But the issue is that apparently there's one setting - UserAccountControl - which controls a basket of more granular settings.  So if we turn off "write userAccountControl" then these admins also won't be able to enable/disable accounts.  

    This was the article we referenced, I notice it's for server 2003 but it seems accurate enough and I don't see anything more current:

    http://briandesmond.com/blog/delegating-enable-disable-account-rights-in-active-directory/

    My approach at this point is to see if we can make some custom permissions group, say "UACnoPNE", which would have all the rights of userAccountControl minus ADS_UF_DONT_EXPIRE_PASSWD.  Is there a way to do this?  Can we make some sort of schema change that would give us this granularity?  I see Exchange makes all sorts of custom permission groups like this.  

    I'm sure we're not the only ones who have this issue, as attackers get more sophisticated in hacking passwords.


    ---------- Ron Bass

    Friday, March 31, 2017 11:30 PM

Answers

  • I just read Brian Desmond's blog post that you linked. He is a highly respected Directory Services MVP (14 years I believe), and author of the 5th Edition of "Active Directory". His blog post is spot on. And nothing has changed with regard to the userAccountControl attribute since that was written, except the addition of more supported bit masks (such as for read-only DC's).

    But I understand your concern. Still, there is nothing that could be done in the schema. The userAccountControl attribute is an integer. If you have permission to update one bit, you cannot be restricted updating other bits. Even if you required admins to use a custom application that only allowed them to enable or disable accounts, they would still require write permissions on the attribute. This would allow them to use any other tool or scripting language to assign any value to the attribute.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    • Marked as answer by Ron Bass Monday, April 3, 2017 3:47 PM
    Saturday, April 1, 2017 1:43 AM

All replies

  • It cannot be done. Administrators must be able to update the userAccountControl attribute, but you must trust the Administrators. This argues for limiting the number of people with administrator rights.

    I know of no way to allow admins to enable and disable accounts without giving them right access to the userAccountControl attribute, which allows them to assign any value.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Friday, March 31, 2017 11:37 PM
  • Got it.  Though I'd like to hear a second opinion, just to make sure we can rule this out.  

    ---------- Ron Bass

    Friday, March 31, 2017 11:53 PM
  • I just read Brian Desmond's blog post that you linked. He is a highly respected Directory Services MVP (14 years I believe), and author of the 5th Edition of "Active Directory". His blog post is spot on. And nothing has changed with regard to the userAccountControl attribute since that was written, except the addition of more supported bit masks (such as for read-only DC's).

    But I understand your concern. Still, there is nothing that could be done in the schema. The userAccountControl attribute is an integer. If you have permission to update one bit, you cannot be restricted updating other bits. Even if you required admins to use a custom application that only allowed them to enable or disable accounts, they would still require write permissions on the attribute. This would allow them to use any other tool or scripting language to assign any value to the attribute.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    • Marked as answer by Ron Bass Monday, April 3, 2017 3:47 PM
    Saturday, April 1, 2017 1:43 AM