I have a question about configuring of "User Cannot Change Password" property. Does default "Account Operators" domain group has ability to change this property? If not can it be delegated via AD delegation? Can somebody explain in detail how to do this then.
It seems that it could be difficult to delegate this as it is not actual AD account property but changes ACE "Change Password" for "SELF" in user object ACL which is being changed to Explicit allow or Deny when this setting is being changed via GUI. As I understand delegation of editing users ACL gives user loads of possibilities and can be insecure for environment.
Asked
Active
Viewed 1,172 times
1
Mikhail
- 1,287
- 3
- 18
- 35