When you protect a user account in Active Directory with ChangeAuditor, it will stop password changes by default except for those you specify as override accounts. Using the override accounts option is not feasible when protecting an OU of users.
Active Directory Protection templates allow you to block 4 different kinds of operations (Create, Modify Attributes, Delete, and Move). It is the "Modify Attributes" operation which stops a user from resetting their password. Basically, you can restrict admins from Creating, Deleting, or Moving user object and still allow modifying of the user object. If you uncheck "Modify Attributes", anybody with access to use the Users and Computers mmc will be able to modify the protected objects and users will be able to change their own passwords. Please see the attached screenshot for info on where to set this.
© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center