8 August,17 at 08:57 AM
Applies to: All versions of Centrify DirectControl
Question:
On the adjoined server AD user is able to change their password and sync it back to AD.
Is it possible to disable this function and not affect other services?
Answer:
This can be achieved by using following parameter in /etc/centrifydc/centrifydc.conf.
pam.allow.password.change: false
* Remember to run command 'adreload' to make above change effective.
With above parameter configured, both adpasswd and passwd will be blocked.
[administrator@rhel63 ~]$ adinfo -c | grep -i pam.allow.password.change
pam.allow.password.change: false
[administrator@rhel63 ~]$ adpasswd
Password change not permitted
[administrator@rhel63 ~]$ passwd
Changing password for user administrator.
Password change not permitted
passwd: Authentication token manipulation error