Hiding Accounts From Password Control
Users of Password Control often ask if it's possible to restrict which user accounts
are visible to Password Control. For example, you might work for a school,
college or university and only want helpdesk staff to use Password Control to change
passwords for student accounts. You might also work for an organisation that
has a number of "service" accounts that you do not want to be displayed in Password
Control.
Note
By default Password Control only displays accounts where the "IsCriticalSystemObject"
property not set to "TRUE" and the "showInAdvancedViewOnly" is not set to "TRUE".
The "Administrator" account is marked as a critical system object so this account
won't display in Password Control (New in version 2.2).
Security requirements vary dramatically from organisation to organisation.
It's worth noting at this point that any security options you are able to set in
Password Control would only restrict the user when using Password Control to access
Active Directory. It would be quite easy for a user to write a script or download
another program from the internet that would allow them to circumvent any security
options provided by Password Control.
I strongly recommend that you use Active Directory to secure your domain.
The security policy set in Active Directory must be obeyed no matter what program
is used to access the directory. You might want to read
this section
on security for more information.
If you want to "hide" user accounts from Password Control without modifying any
security settings in your domain, create
a security group called "PasswordControl_Invisible". Make any
user accounts you don't want to appear in Password Control a member of this group
(As a direct member or as a nested group member). Password Control will treat
these accounts as if they didn't exist.