How to revoke change password permission only for users in specific OU?

password security active-directory permissions
10,651

Solution 1

John Rennie and Sam Cogan's answers (as John so aptly states) are "hacks" insofar as they attempt to disable the user-interface to change passwords but don't actually take away the ability for the user to change their password.

I think you're looking for a change to the permissions Active Directory sets by default on the OU where the user accounts are located. I'm going to caution you against that. Since Microsoft already provides this functionality through an attribute on the user account objects it's really better to use that already-provided attribute than to change the AD permissions. It's likely that you could find a permission that works, and it's also just as likely that the OS isn't going to display helpful messages.

You really should just all the affected users using Active Directory Users and Computers and modifying the properties of the user accounts en masse. Dart's answer is functionally the same as selecting all the user accounts and setting their "User cannot change password" graphically. If you like the command-line better, do that.

There is functionality to do this with an "Extended Right" using Active Directory permissions in Windows 2003. I'm not finding good documentation on the feature. Here's some background on the "extended rights" associated with changing passwords, the first relating to Active Directory "Application Mode" (or whatever Microsoft is calling it this week):

I attempted to verify Massimo's answer by placing a "SELF - Deny - User Objects - Extended Right: Change Password" permission on an OU in my test W2K3 Active Directory (Windows 2003 Domain Functional Level) and found that the user objects at or below that OU were still able to change their passwords using the GUI password change functionality. Looking at each user object, I could see the inherited "Deny" permission, but Active Directory appeared to ignore it.

Just removing the "SELF - Allow - Change Password" permission on a user object gave the me same functionality as the above test. The user was still permitted to change their password.

I'd say, on that basis, that Massimo's answer doesn't do what you want either.

I found this article from Microsoft and tested it out. When I target the script at an individual user object it behaves as desired and the user is unable to change their password. This isn't much help to you, though, since you want to set this on a per-OU basis.

When I target that script from Microsoft at an OU, however, the behaviour on longer is as expected. (Further, if I modify the ACEs added to the OU to apply to "This object and child objects" instead of "This object only" as is granted by the script the behaviour still is not as expected.)

I'm really beating my head into a wall on this one. This looks like a quirk of Active Directory behaviour that isn't well documented. I've been through the "Active Directory Domain Services" and Active Directory schema documentation and I'm not finding documentation to describe this behaviour.

Solution 2

See http://support.microsoft.com/kb/324744

However note that this is a bit of a hack. It doesn't stop users changing their passwords, it just removes the option to do so from the ctrl-alt-del dialog. Users could still use a command line password changer.

JR

Share:
10,651

Related videos on Youtube

empi
Author by

empi

Updated on September 17, 2022

Comments

  • empi
    empi almost 2 years

    I have a question about active directory permission to change password. Is it possible to revoke permission to change password for users from specific OU?

    How can I accomplish this task? I know it can be done for specific group of users but is it possible for users in specific OU?

    UPDATE

    Thanks for all your answers. They were really helpful. Unfortunately I cannot upvote these reponses due to my low reputation ;)

    95% percent of users are in the OU I'm writing about. I'm thinking about removing change password permission from Everyone group and creating group for users that would be able to change their passwords. The issue is that users from this OU are in another application and they should change their password using this app, not in AD. Users that are not in this OU are only in AD, so they can change their passwords in AD.

    Do you think that would be a good solution or there will problems with it?

    Thanks for help.

  • empi
    empi almost 15 years
    Unfortunately, that's not an option. Since new users may be added to this OU and they still shouldn't be able to change their password. This must be solved on OU level and it cannot be per-user solution. However, thanks for help.
  • Spence
    Spence almost 15 years
    Have a look at the tests I ran in my answer. I'm not getting what you're recommending to actually work in tests on a live AD.
  • dart
    dart almost 15 years
    I think that it's not possible to specify that at the OU level without doing any customisation, based on Evan's post below. It's possible a password hook might do the trick for you instead, but you'd need to customise it for your own needs. A generic OSS password hook is available at sourceforge.net/projects/passwdhk
  • Massimo
    Massimo almost 15 years
    Thanks for the extensive testing you're doing, I'd always thought that ACE should have worked that way but never actually tested it. Quite strange behaviour, anyway... why is even that ACE there, if it's actually unused?!?
  • Spence
    Spence almost 15 years
    You would think that what you suggest would work, eh? So would I. See the newest edit to my answer. You CAN set an "Everyone - Deny Change Password" and "SELF - Deny Change Password" on an object-for-object basis and it works, but that's not what the poster wants (and isn't any better than just setting the value in the userAccountControl enumeration.)
  • empi
    empi almost 15 years
    could you check update for my question? do you think that it would be a good solution?
  • Spence
    Spence almost 15 years
    @empi: If I could tell you how to do what you describe in your update it would probably work fine. So far I've only been able to come up with a user-per-user method of disabling "Change password" functionality. I haven't figured out any way to do it for an OU or the entire domain.
  • empi
    empi almost 15 years
    @Evan Anderson: removing change password permission from Everyone group won't prevent users from changing their password? I thought that if I remove change password permission from Everyone group then nobody would be able to change their password. Then I will create new group, add to it permission to change password and the I will manually add users to this (of course only users that will be able to change their password). Do you think that it won't work?
  • Spence
    Spence almost 15 years
    The "Everyone - Change Password" permission isn't explicity granted on the domain itself such that you can remove it. I've put an "Everyone - Deny Change Password" and "SELF - Deny Change Password" at the root of my test domain, verified that it inherits to my test user object, and STILL the user can change their password. The only way I've been able to deny the permission has bene to put the "Deny" ACEs directly on the user object itself.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Is there a way I can password protect a folder without encrypting/compressing?
Reset password history in active directory to a specific date
creating security groups from scratch - best practices
Reference to all users/groups in Active Directory
How can I check access of a Group/User in AD before I delete it?
Allow AD user to set passwords but no other attributes
How can I remove my users from local admin rights with a GPO?
Users on windows 2008 R2 server cannot change own password
How do you manage service account credentials (passwords)?
What is the rationale for a minimum password age?