This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How can I deny admins the right to reset their own password?

I have a bunch of users who have (quite properly) the ability to reset passwords.  Unfortunately, a number of them are abusing this ability by resetting (rather than changing) their own passwords so that they keep the same password in spite of the password policies.

These users are members of a specific group.  Is there a way that I can  deny them the right to reset only their own password?  I don't want to block them from being able to reset their colleagues passwords, just their own.

Thanks,

Mike...

  • There is a *native* flag you can set on the user for this: "User cannot change password".  This prevents a user from changing their own password.  Though preventing users from changing their own passwords is a potential security problem isn't it?  i.e. unless you do a lot of auditing, how will you know When someone else (i.e. another admin) changing an admin's password is legitimate?

    Within AR, you could also set a deny access template for NTAuthority\Self for the reset password permission.

  • (I made correction to the terms in the post)

    >'Password Change' is the usual route for users to take. -native MSFT Windows/AD rights only. ARS does not /cannot grant it.
    >’Password Reset’ is the administrative privilege – granted to AD\HelpDesk group ‘native ACL’ in ADUC or ‘virtually’ in ARS.

    #1. I would not recommend to do this. If AD\HelpDesk AD\jsmith can *Reset Password* for all accounts, then he can change it for himself. *Change Password* is native MSFT cunctionality for all AD users, probably part of AD GPO, and out of ARS/AD Management Workflow scope.

    #2. AD Management workflow Change. Introduce exemption:AD|HelpDesk user's password can be *Reset Password* by AD\ADmins only (higher level exemption ticket)

    #3. Workflow or Policy Script: IF Caller ID (SID/Logon/GUID) = Target Object ID THEN throw exemption "MyCompany AD Management Policy Violation: AD ADmins cannot *Reset Password* on itself". (No recommended as #1.)

  • I thought I might have to clarify this.  Password Change and Password Reset are not the same thing.

    Password Change is the usual route for users to take.  Enter the old password, enter the new one twice,.  All the policies for complexity, history, etc. are applied.  I don't want (or need) to change access to this at all.

    Password Reset is the administrative privilege available via ARS Console or ADUC (if permissioned).  It allows a password change to be forced on an account without knowing the old password.  This doesn't respect password history or complexity.

    I want to prevent a set of users from being able to Reset their own passwords.  Password Change rights would be untouched.

    I hope this frames the question more clearly.

  • You can create a Workflow which checks the initiator and the object, where operations should be performed. If they are the same, you can add a stop action

  • Hi, Benjamin.

    Thanks for the pointer.  I have that working now even though I never tried to create a workflow before.  Slight smile

    I decided to go with notification rather than denial in the end.  

    Regards,

    Mike...