To block the ability to set Password Never Expires, User Cannot Change Password and User Must Change Password at next logon:
- Open ActiveRoles MMC Console
- Create a new Access Template
- Click Add
- Select Only the following classes
- Select Users
- Select Object Property Access
- Click Deny Permission and Write Properties
- Click Next
- Choose the following properties
- Select Show all possible properties
- Choose Password Never Expires, User Cannot Change Password and User Must Change Password at Next Logon
- Save the Access Template
- Apply (link) the new Access Template to the appropriate users/groups and the target location (i.e Active Directory)
- If logged into the Web Interface, log out and back in to test and confirm the options are grayed out
To completely remove the options from the Web Interface, such as for Helpdesk users, do the following:
- Log onto the Helpdesk site as an ARS Admin
- Navigate to the Reset Password page of any user
- Click click here to customize this form
- Select Account Options and click on Delete on the menu above it
- Click Save
- Either click Reload above or hover over Customization on the top right menu and select Reload
- Go back to the user properties and Reset Password and the options will be gone. You will be left with the Password fields and Account Unlock option (grayed out by default if not currently locked)