-
February 17th, 2005, 12:48 AM
#1
Setting "User Cannot Change Password" via LDAP
We manage all accounts centrally, including new account requests. This has been a two step process where a network account was first created that dealt with most campus wide services and then a separate Windows domain account was created for student lab and staff use. I am trying to simplify that and I am able to create the domain account via a standard LDAP API as well as set a synchronized password. But the one thing we want to insure is that domain users only change their passwords through the centralized service and not locally from within Windows -- that way passwords stay in sync. The problem is disabling the user's ability. However, doing this requires setting an ACE in the ntSecurityDescriptor attribute of the entry. While I can do that via a vbs script, that also defeats the purpose of managing everything centrally. Is there a way to set the ACE via LDAP over the network, and does anyone have any code examples?
Thanks,
Rob
-
March 13th, 2006, 06:43 PM
#2
Re: Setting "User Cannot Change Password" via LDAP
Did you ever figure this out? I am attempting to do something similar and have yet to find any good examples ....
-
March 13th, 2006, 06:51 PM
#3
Re: Setting "User Cannot Change Password" via LDAP
We eventually hired a Windows sysadmin who actually knows his stuff and how to set policies. He used a group policy to globally disable a user's ability to change his or her password. They are therefore forced to use the main webtool that keeps everything in sync.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|