AD & Password Expiration

[aluetjen]

Hello!

Scenario:

* Users log on to Vault using their AD accounts
* AD accounts have password expiration and complexity checks set
* However, users have no access to LAN in terms of interactive log on to a machine of the domain.

Problem:

* The user is unable to change his password
* Only workaround through something like OWA or custom Web interface.

Question:

* Can a user change his password out of the Vault Gui? (My first attempts failed, but the Vault feature Change Password is available).
* Does the user receive a "Password will expire soon" warning when logging on to vault?

Best regards, Alex

[jeremy_sg]

No, Vault can not change the AD password, nor will they get the "password expires soon" message.

[aluetjen]

Hmmm, wouldn't it make sense or do you plan enhancement of that? I mean on the one hand you say that AD authentication has been implemented this way because of users use vault without being logged on to the domain (otherwise using the existing credentials is the only reasonable way). On the other hand major features given by AD cannot be really used as the log on mechanism is a little too proprietary.

I'm asking again because implementing the change password would be something like a "<100 lines of code" thing

[jeremy_sg]

My feeling is that most administrators wouldn't like the idea of Vault being capable of changing a domain user's password. But you're right in that we should probably disable the change password option for active directory users and pass on the "password expires soon" message.