• State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 62 subscribers
  • Views 3741 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Access Template to Deny Write permission to attribute/Flag 'Password Never Expire' is not taking place (effective) in ARS 6.9 (without Patch4).

ahmed.elsayed2
over 7 years ago

Access Template to Deny Write permission of attribute/Flag 'Password Never Expire' is not taking place (effective).

 

  Version: ARS 6.9 (without Patch4).

  • 0 over 7 years ago
    Hi,

    Bit of a limited description so not sure if it's the same problem, but I've encountered a similar issue in the past; our Helpdesk has permission to "Undo Deprovision" and unfortunately this somehow also includes the "Password never expires" option to be changed. Raised a support case for this but turned out to be "By Design".. (?)

    The workaround I received was to:

    1) Only apply the "Undo Deprovision" access template to the OU holding the disabled accounts
    2) Add a Deny for "Write all Properties" to the Undo Deprovisioning acess template you're using

    By itself the above worked OK so issue resolved for me, but I still think it's weird that such a critical option could be exposed by an innocent AT to Undo Deprov.

    Hope this works for you!
  • 0 over 7 years ago
    This is interesting. The only situation I could see where this flag would get turned on during an undo-deprovision is potentially if it was in place on the object at the time of deprovisioning.

    I say this because Undo-deprovisioning attempts to restore an object to its original state.

    My suggestion to the original poster would be to setup a PVG rule within a user provisioning policy that forces the state of that flag to "OFF" as the default and only acceptable value.