I have a question I am hoping you can shed some light on. This topic relates to Password Change (must know current password), not Password Reset (do not need to know current password).
The use case is the EDMS ADSI provider calling the "changepassword" method...
$userObj = [ADSI]'EDMS://<DistinguishedName of user>'
...
$userObj.psbase.invoke('changepassword', $OldPwd, $NewPwd)
There is an Access Templated in the “Configuration/Access Templates/Active Directory/Advanced” container called “Users - Change Password (Extended Right)”.
When I applied the access template and tested it the assigned trustee was unable to change the password. If I add the “Read edsaOldPassword” and “Read/Write User Password” it did work. However…
- When using the three permissions in the access template the Web UI exposes the “Reset Password” form (link to the form) even though it’s the “Change Password” extended right.
- We fear that by assigning “Read/Write User Password” this turns the delegation into “Reset Password”, i.e., where the user doesn’t need to know the current password and that would be a train wreck.
I did my best to look at the SDK, ARS documentation, web KB and web user forums but I could not find help on how to properly and securely deploy the “Users - Change Password (Extended Right)” access template.
Any help would be appreciated.