The password change is carried out by the service account user. It cannot be carried out by the end user, because:
- On a forced password change, the bind with the end user fails if the AD connector returns an error code 773 (telling the user to change the password). Thus, the password change cannot be carried out after a bind with the end user.
- If the administrator in the Admin application resets the password, the end user is not involved. This implies that the reset must be done by the service account.
The service account user needs the following rights for that purpose:
Right (LDAP display name) | Right (Permission editor display name) | Mode | Explanation | Detailed information |
---|---|---|---|---|
userAccountControl | - | (read/?)write | Optional: account policy value to set after a password reset. Only set if the flag Active Directory Account Control On Reset is configured to be | |
pwdLastSet | read PwdLastSet write PwdLastSet | read/write | Optional: time that is reset on password change. Only set if the flag Active Directory Reset Pwd Last Set For User Initiated Modification is configured to be | |
lockoutTime | (read LockoutTime) write LockoutTime | (read?/)write | Optional: date and time (UTC) that this account was locked out. Only set if the flag Active Directory Unlock User On Reset is configured to be | |
- | Reset Password | write | Mandatory: needed to perform a delegated password reset, i.e. password reset for another user. | - |