DESCRIPTION
You want to prohibit specifying a user password that never expires. And thus, you have applied an Access Template that denies edsaPasswordNeverExpires modification. It works perfectly for existing user accounts but fails for newly created ones. Why? Unfortunately, this is due to the Microsoft Active Directory security model. In general: If anyone has the right to create an object, he/she can create it with any attribute values even he/she doesn't have the right to access these attributes. It is possible to override this behaviour via script policy.
Note This code may use functions from the Active Roles Script Policy Best Practices. Please, follow the link to obtain instructions and code for those functions.
SCRIPT
'*********************************************************************************
' THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
' EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
' WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
'
' IF YOU WANT THIS FUNCTIONALITY TO BE CONDITIONALLY SUPPORTED,
' PLEASE CONTACT ONE IDENTITY PROFESSIONAL SERVICES.
'*********************************************************************************
Option Explicit
Const strErrorMessage = "Corporate policy prohibits to specify a password that never expires"
'===========================================================================
' onPreCreate
'===========================================================================
Sub onPreCreate(Request)
Check Request, 1
End Sub
'===========================================================================
' onPreModify
'===========================================================================
Sub onPreModify(Request)
Check Request, 1
End Sub
'===========================================================================
' onPreCreate
'===========================================================================
Sub onCheckPropertyValues(Request)
Check Request, 2
End Sub
'===========================================================================
Sub Check(ByRef Request, ByVal nCode)
'-- skip all classes but user
If (Lcase(Request.Class) <> "user") Then Exit Sub
Dim boolFlag
'-- try to get attribute value
On Error Resume Next
boolFlag = CBool(Request.Get("edsaPasswordNeverExpires"))
On Error GoTo 0
'-- if attribute is specified and is set to True
If (boolFlag = True) Then
'-- report an error
If (nCode = 1) Then
'-- for create & modify request
Err.Raise 1, strErrorMessage
ElseIf (nCode = 2) Then
'-- for check property values request
Request.SetPolicyComplianceInfo "edsaPasswordNeverExpires", EDS_POLICY_COMPLIANCE_ERROR, strErrorMessage
End If
End If
End Sub
'******** END OF CODE ******************************************************