Rights to service PWD change/reset
Necessary rights of the service account for password change/reset

The password change is carried out by the service account user. It cannot be carried out by the end user, because:

  • On a forced password change, the bind with the end user fails if the AD connector returns an error code 773 (telling the user to change the password). Thus, the password change cannot be carried out after a bind with the end user.
  • If the administrator in the Admin application resets the password, the end user is not involved. This implies that the reset must be done by the service account.

The service account user needs the following rights for that purpose:

Right (LDAP display name)
Right (Permission editor display name)
Mode
Explanation
Detailed information
userAccountControl
 -
(read/?)write
Optional: account policy value to set after a password reset.
Only set if the flag Active Directory Account Control On Reset is configured to be true (which is typically not the case)
pwdLastSet
read PwdLastSet write PwdLastSet 
read/write
Optional: time that is reset on password change.
Only set if the flag Active Directory Reset Pwd Last Set For User Initiated Modification is configured to be true (which is typically the case)
lockoutTime
(read LockoutTime) write LockoutTime 
(read?/)write
Optional: date and time (UTC) that this account was locked out.
Only set if the flag Active Directory Unlock User On Reset is configured to be true (which is typically the case)
-
Reset Password
write
Mandatory: needed to perform a delegated password reset, i.e. password reset for another user.
-