Return
-
Title
Error while provisioning ADSAccount.UserCanNotChangePassword -
Description
* Steps to reproduce:1. Newly created AD account with UserCanNotChangePassword=FALSE
Access RIghts:Allow Everyone Change PasswordAllow NT AUTHORITY\SELF Change Password2. Change in AD to UserCanNotChangePassword=TRUE
Access RIghts:Deny Everyone Change PasswordDeny NT AUTHORITY\SELF Change Password3. Change in AD to UserCanNotChangePassword=FALSE
-> Rights situation:Allow Everyone Change PasswordSteps 2 and 3 can be repeated at will in AD and always lead to the mentioned permissions.Only newly created accounts have 2 Allow rights.After the first change, only one Allow right for Everyone remains.4.The account exists in OneIM with identical properties.
Change in OneIM to UserCanNotChangePassword=TRUE-> Rights situation after provisioning:Deny Everyone Change PasswordDeny NT AUTHORITY\SELF Change Password5. Change in OneIM to UserCanNotChangePassword=FALSE
-> Rights situation after provisioning:NO right available. So it is not possible to change the pwd, although this should be possible -> false.Change of procedure:
Steps 2 and 3 are NOT executed.Step 4 leads in this case to:Deny Everyone Change PasswordDeny NT AUTHORITY\SELF Change PasswordAllow Everyone Change PasswordAllow NT AUTHORITY\SELF Change PasswordEffectively the password change is not possible -> correctStep 5 leads to:
Allow Everyone Change PasswordAllow NT AUTHORITY\SELF Change PasswordWith this, the password change is possible again -> correct.Conclusion:Provisioning UserCanNotChangePassword only works correctly if the property has never been changed in AD before.* Expected result:Correct provisioning of UserCanNotChangePassword. -
Cause
If the Allow rights have been lost in AD for any reason, they will not be restored by OneIM. This means that the user can no longer change the password.This is related to Product Defect CR ID 34390. -
Resolution
The One Identity Product Team has acknowledged this as Product Defect CR ID 34390.. This is planned for inclusion in a future release. If you need further information, please contact One Identity Support and reference Product Defect CR ID 34390. -
Change Request
34390