I'm attempting to rework this KB a little bit:
https://support.oneidentity.com/kb/320795/how-to-enforce-a-specific-value-for-user-must-change-password-at-next-logon-when-using-the-active-roles-web-interface
Original code
function onPreModify($Request)
{
if ($Request.class -ne "user"){ return }
if ($Request.Attributes.Attributes["edsaPassword"])
{
$Request.Put("edsvaUserMustChangePasswordAtNextLogon", $true) #Alternatively, use $false if desired
}
}
Should I be able to change "edsvaUserMustChangePasswordAtNextLogon" to be "edsaUserCannotChangePassword" ?
Like so:
{
if ($Request.class -ne "user"){ return }
if ($Request.Attributes.Attributes["edsaPassword"])
{
$Request.Put("edsaUserCannotChangePassword", $false)
}
}
Should that work?
First I tried:
https://support.oneidentity.com/active-roles/kb/186689/how-to-block-access-to-password-options
First I tried:
https://support.oneidentity.com/active-roles/kb/186689/how-to-block-access-to-password-options
This tries using an access template to accomplish limiting access to the password options. But I'm only looking to block UserCannotChangePassword and leave UserMustChangePasswordAtNextLogon available. I tried applying it to only UserCannotChangePassword, but I could still set it to $true.
I also tried using a straight-up property generation and validation policy to force edsaUserCannotChangePassword to always be $false. That didn't stop me from setting it to $true either.
I removed the option from web interface but some of our craftier admins have learned how to use the quest cmdlets and realized they can set UserCannotChangePassword to $true to kind of exempt some accounts from our password policies. Ideally, I'd like an "Administrative Policy Error: Setting edsaUserCannotChangePassword to $True defies corporate policy" Like you get when you set property validation on a normal attribute.