ARS Access Template Question

I have a question I am hoping you can shed some light on. This topic relates to Password Change (must know current password), not Password Reset (do not need to know current password).

The use case is the EDMS ADSI provider calling the "changepassword" method...

$userObj = [ADSI]'EDMS://<DistinguishedName of user>'
...
$userObj.psbase.invoke('changepassword', $OldPwd, $NewPwd)

There is an Access Templated in the “Configuration/Access Templates/Active Directory/Advanced” container called “Users - Change Password (Extended Right)”.

When I applied the access template and tested it the assigned trustee was unable to change the password. If I add the “Read edsaOldPassword” and “Read/Write User Password” it did work. However…

  • When using the three permissions in the access template the Web UI exposes the “Reset Password” form (link to the form) even though it’s the “Change Password” extended right.
  • We fear that by assigning “Read/Write User Password” this turns the delegation into “Reset Password”, i.e., where the user doesn’t need to know the current password and that would be a train wreck.

I did my best to look at the SDK, ARS documentation, web KB and web user forums but I could not find help on how to properly and securely deploy the “Users - Change Password (Extended Right)” access template.

Any help would be appreciated.

  • I guess maybe I am confused on your use case.

    Are you planning to allow these password changes both programmatically and through the Web UI?

    Or, is your intent to only allow user self service type password reset? (old password must be known)

    To answer your specific question, my understanding is that the ...Extended Right does NOT require you to know the old password (it mimics the native rights of the same name).


  • First, thank you so much for the quick reply.

    The use case doesn't include using the Web UI but we decide to check to see if the new delegation altered the view in the UI and it did. What we didn't expect was to see a link in the UI to the "Reset Password" form exposed (we think it was due to the "Read/Write Use Password" permission and not the "Change Password" permission). This was just an observation, and I could have left it out of the question as it not our problem at this time.

    In AD DS, out-of-the box, password change (where the current password must be known and used) is functional. Outside some of the AD DS built-in security groups, e.g. domain admins, password reset (where it is not required to know and use the current password) must be delegated.

    We can see the difference between the two in the in the ADSI IADsUser object methods where "ChangePassword" requires current and new password. And the "SetPasword" method only requires new password.

    In ARS the "changepassword" method did not work (a good thing I guess) when we first tried it. So, we looked at the provided access templates and found two that matched AD DS...

    Users - Change Password (Extended Right)
    Change password on 'user' object (User-Change-Password extended right); no other permissions are included.

    Users - Reset Password (Extended Right)
    Reset password on 'user' object (User-Reset-Password extended right); no other permissions are included.

    I am trying to find documentation (or any help that can be given) on how to properly and securely deploy the "Users - Change Password (Extended Right)" access template.

    I hope this helps clarify my question.

  • Please explain (in business process terms?) your goal.

  • We have a ClickOnce application written in VB.NET that allows users to perform bulk password change on IDs they own, like training accounts, LoadRunner testing accounts, etc., using ADSI directly in AD DS. We are updating the application to use ADSI against ARS to allow for expanded use in AD DS forests that have no Trust(s) with the users AD DS Forest, are behind firewalls they cannot get to, and to capture this activity in ARS change history.