Arthur de Jong wrote: > You should probably grant the user the right permissions to update the > userPassword and shadowLastChange attributes. Yes, the user should have write-only access to userPassword. But if the user has write access to 'shadowLastChange' he could circumvent the shadowAccount-based password policy. So this is bad advice. Ciao, Michael.