0 votes

We have a pretty generic installation of Adaxes 2013.1.
We'd like the HelpDesk to be able to see the Password Expiration date. Currently they see "Password Expires N/A " when the password expriation date is set for a given user.

If we assign the "Account Manager" builtin security role to the HelpDesk group then we get the desired display, for example:
"Password Expires Expires in: 224 days (4/2/2014 5:45:39 PM) "
But we cannot grant that role to the HelpDesk.

We tried granting Property-specific permissions to HelpDesk: "Read 'PasswordExpires' Property" and "Read 'PasswordExpiresDaysLeft' Property" but that made no difference.

What should we do to enable this field for viewing by the HelpDesk?

Below is what we have for permissions in the builtin HelpDesk role:
Builtin Help Desk Role
Deny Execute All Custom Commands User
Allow Read All object types
Allow Read Group
Allow Read 'Admin Comment' Property User
Allow Read 'Password Last Set' Property User
Allow Reset Password User
Allow Send SMS User
Allow Write 'Account Expires' Property User
Allow Write 'Account Options' Property User
Allow Write 'Admin Comment' Property User
Allow Write 'Lockout-Time' Property User
Allow Write 'Password Last Set' Property User
Allow Write 'User Cannot Change Password' Property User

by (520 points)

1 Answer

0 votes
by (216k points)

Hello,

To view in how many days a user's password will expire, you Help Desk needs to be able to view the Password Policy applied to the user. Otherwise, it is impossible to determine for how long a password remains valid.

If you don't use Fine-Grained Password Policies for your domain, you need to grant your Help Desk the right to view the domain object. Since your Security Role already includes the right to Read All object types, you don't need to grant any additional permissions. You simply need to correctly assign the Role by including the domain object in the Activity Scope of the Role. To do this:

  1. Launch Adaxes Administration Console.
  2. Navigate to and select your Help Desk Role. The Permissions and Assignments of the Role will be displayed in the Result Pane (located to the right).
  3. Right-click in the Assignments section and click Add Assignment.
  4. In the dialog box that appears, select the users and/or groups from your Help Desk.
  5. Click OK.
  6. In the dialog box that appears, double-click your domain.
  7. In the Assignment Options dialog box that appears, select the This Domain object option and unselect the All objects in this Domain option. Thus, you will grant your Help Desk the permission to read the domain object only.
  8. Click OK two times and save the Security Role.

If you use Fine-Grained Password Policies for your domain, you need to grant your Help Desk the right to view the container that stores Fine-Grained Password Policies. The Distinguished Name (DN) of the container is CN=Password Settings Container,CN=System,DC=domain,DC=com, where DC=domain,DC=com is the DN of your domain. Since your Security Role already includes the right to Read All object types, you don't need to grant any additional permissions. You simply need to correctly assign the Role by including the container for Fine-Grained Password Policies and all of its children in the Activity Scope of the Role. To do this:

  1. Launch Adaxes Administration Console.
  2. Navigate to and select your Help Desk Role. The Permissions and Assignments of the Role will be displayed in the Result Pane (located to the right).
  3. Right-click in the Assignments section and click Add Assignment.
  4. In the dialog box that appears, select the users and/or groups from your Help Desk.
  5. Click OK.
  6. In the dialog box that appears, expand the Object Types drop-down list.
  7. Select the Show all object types option.
  8. Select the ms-DS-Password-Settings-Container object type.
  9. Double click the container with Distinguished Name CN=Password Settings Container,CN=System,DC=domain,DC=com.
  10. In the Assignment Options dialog box that appears, select to assign the Security Role over the container object itself and all of its children.
  11. Click OK two times and save the Security Role.

Related questions

0 votes
1 answer

I'd like the Password Never Expires to exclude certain users. Since it is script based is the only way to do so in the script? I have checked where I am aware and I do not see the possibility of doing this as it is currently configured. Thank you

asked Nov 15 by msheppard (610 points)
0 votes
1 answer

I've got the script working as is and would like to add a column to display the number of days left before the password expires. I attempted to use adm-AccountExpiresDaysLeft ... error, probably because I don't know how to convert it to a displayable format.

asked Feb 12, 2021 by sandramnc (870 points)
0 votes
1 answer

Hello, is there a way to remove "Password Never Expires" Check Box only from the "Reset Password" operation dialog? I see you can hide the whole Account Options section and ... . But I would like just to remove the "Password Never Expires" check box. Cheers

asked Feb 5, 2016 by jheisley (590 points)
0 votes
1 answer

How can I set that a password never expires for an AD account through SDK scripting? eg: [Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi") $admNS = New-Object " ... ", $NULL, $NULL, 0) $user.Put ? $user.SetInfo() With regards, Thnx Remco

asked Sep 3, 2014 by RTiel (780 points)
0 votes
1 answer

They can navigate to both the user or the group within the ADAXES web interface without issue. They can then either Add to Group or Add Member but the resulting ... something to the web interface which prevents changing the lookup domain. Any ideas? Thanks!

asked Apr 9, 2020 by VTPatsFan (610 points)
3,588 questions
3,277 answers
8,303 comments
548,086 users