Block User Cannot Change Password

Question

I'm attempting to rework this KB a little bit: https://support.oneidentity.com/kb/320795/how-to-enforce-a-specific-value-for-user-must-change-password-at-next-logon-when-using-the-active-roles-web-interface 
 
 Original code 
 function onPreModify($Request) 
 
 { 
 if ($Request.class -ne "user"){ return } 
 if ($Request.Attributes.Attributes["edsaPassword"]) 
 { 
 $Request.Put("edsvaUserMustChangePasswordAtNextLogon", $true) #Alternatively, use $false if desired 
 } 
 }

Should I be able to change "edsvaUserMustChangePasswordAtNextLogon" to be "edsaUserCannotChangePassword" ?

Like so:

{ 
 if ($Request.class -ne "user"){ return } 
 if ($Request.Attributes.Attributes["edsaPassword"]) 
 { 
 $Request.Put("edsaUserCannotChangePassword", $false) 
 } 
 } 
 
 Should that work? First I tried: https://support.oneidentity.com/active-roles/kb/186689/how-to-block-access-to-password-options

This tries using an access template to accomplish limiting access to the password options. But I'm only looking to block UserCannotChangePassword and leave UserMustChangePasswordAtNextLogon available. I tried applying it to only UserCannotChangePassword, but I could still set it to $true. 
 
 I also tried using a straight-up property generation and validation policy to force edsaUserCannotChangePassword to always be $false. That didn't stop me from setting it to $true either.

I removed the option from web interface but some of our craftier admins have learned how to use the quest cmdlets and realized they can set UserCannotChangePassword to $true to kind of exempt some accounts from our password policies. Ideally, I'd like an "Administrative Policy Error: Setting edsaUserCannotChangePassword to $True defies corporate policy" Like you get when you set property validation on a normal attribute.

JohnnyQuest · Accepted Answer

So here's the thing, if you look at the object Change History, it does say that edsaUserCannotChangePassword is getting modified as is the NTSecurityDescriptor. 
 I would think that this should work: # Check and see if the Cannot Change Password flag is being chenged # Note that IsAttributeModified is only telling you if the attribute is being changed and NOT what it is being changed to If ((IsAttributeModified $Request "edsaUserCannotChangePassword") -eq $false){return} 
 # Check if the property is being set to TRUE, if it is then set it to FALSE If ($Request.Get("edsaUserCannotChangePassword") -eq $true) { $Request.Put("edsaUserCannotChangePassword", $false) } 
 As an aside, this use case can also be dealt with in a codeless fashion using a Change Workflow: 1) Start condition Detects a change to the property edsaUserCannotChangePassword 2) Uses an Update Activity to force the property value to FALSE If you want to prevent native changes to this property (i.e. performed via ADUC), you would need to modify your policy script to watch for changes to the relevant UserAccountControl bit which is somewhat more complicated.

Block User Cannot Change Password

Top Replies