000038108 - UserAccountControl (UAC) attribute PASSWD_CANT_CHANGE is not updated by the Active Directory AFX Connector in RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Nov 15, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000038108
Applies ToRSA Product Set: Identity Governance & Lifecycle
RSA Version/Condition: 6.x, 7.1.0

IssueWhen modifying the UserAccountControl (UAC) attribute value in Active Directory (AD) so that a user cannot change their password, the update fails to occur. The property flag, PASSWD_CANT_CHANGE, is being passed to the AD AFX Connector but the UAC value is not updated in AD.

CauseThis is a known issue reported in engineering ticket ACM-71014.

The property flag PASSWD_CANT_CHANGE cannot be changed by directly modifying the UAC attribute. See How to use the UserAccountControl flags to manipulate user account properties for more information.
ResolutionEngineering made some code changes to enhance the product functionality and allow the UAC to be updated with an AD AFX connector using the PASSWD_CANT_CHANGE property flag. This enhancement is in RSA Identity Governance & Lifecycle versions:
  • RSA Identity Governance & Lifecycle 7.1.0 P02
  • RSA Identity Governance & Lifecycle 7.1.1
For more information on updating the UAC attribute in AD, please see RSA Knowledge Base Article 000032426 -- How to update the Active Directory UserAccountConrol (UAC) attribute with the Active Directory AFX connector in RSA Identity Governance & Lifecycle