Password Control – Hiding Accounts

Users of Password Control often ask if it’s possible to restrict which user accounts are visible to Password Control.  For example, you might work for a school, college or university and only want helpdesk staff to use Password Control to change passwords for student accounts.  You might also work for an organisation that has a number of “service” accounts that you do not want to be displayed in Password Control. 

By default Password Control only displays accounts where the “IsCriticalSystemObject” property not set to “TRUE” and the “showInAdvancedViewOnly” is not set to “TRUE”.  The “Administrator” account is marked as a critical system object so this account won’t display in Password Control (New in version 2.2).

Security requirements vary dramatically from organisation to organisation.  It’s worth noting at this point that any security options you are able to set in Password Control would only restrict the user when using Password Control to access Active Directory.  It would be quite easy for a user to write a script or download another program from the internet that would allow them to circumvent any security options provided by Password Control. 

I strongly recommend that you use Active Directory to secure your domain.  The security policy set in Active Directory must be obeyed no matter what program is used to access the directory.  You might want to read this section on security for more information. 

If you want to “hide” user accounts from Password Control without modifying any security settings in your domain, create a security group called “PasswordControl_Invisible”.  Make any user accounts you don’t want to appear in Password Control a member of this group (As a direct member or as a nested group member).  Password Control will treat these accounts as if they didn’t exist.