Not allow user to change password

Iā€™m on 18.0.3

I donā€™t want that users not in admin group are able to change their password

Please tell me HowTo

1 Like

Afaik this is not possible by design. I found the following discussion about this function:

If you only want to disable the reset password function, this might be a solution:

I have the same issue. From the discussion, it looks like this is not possible in Nextcloud.

So this is not a bug. Its a ā€œfeatureā€ with no workaround.

Starting with v.19 Nextcloud has improved password rules enforcement

image

What else could be the reason to deny users the ability to change their passwords?

The Nextcloud application is not always the center of the world. There may be a higher level application (other than single sign-on) that manages user accounts across multiple applications.

Can you elaborate on that?

You can implement SSO and use, for example, LDAP users.
With latter, you CAN prevent users from changing passwords. Thatā€™s by default!
https://docs.nextcloud.com/server/19/admin_manual/configuration_user/user_auth_ldap.html

I may end up having to use LDAP or another SSO application to get around this issue. Using SSO in this problem space is a bit like ā€œusing a sledge hammer to swat a flyā€. IMHO, most Nextcloud administrators do not have the time or skills required to implement such a solution.
What I believe Witzker is looking for is a simple way to create a ā€œwalled gardenā€ for the users of the Nextcloud system he administers. He wants the administrator to be in charge of managing user accounts on Nextcloud installation. Using SSO for this type of functionality is extremely difficult for the average administrator.

Perhaps you can change the password rules in the way that users are not able to find correct passwords. 100 or more chars if nextcloud allows it?

LDAP is very easy to implement (for example, if you already have a Windows DC around).
It isnā€™t really SSO, just an external user directoryā€¦

SSO is a different beastā€¦ Even the NC documentation on it is ā€œenterprise supportā€ levelā€¦

Are there any updates on this? @brucet, you exactly describe my use case. I donā€™t want to deal with LDAP or SSO, just deactivate the ā€œpassword changeā€ option for users, in order to create kind of a ā€œwalled gardenā€ for them (e.g. multiple users logging in using just one account in a very simple case).

Iā€™ve found [Enable/Disable users to change their password Ā· Issue #12671 Ā· nextcloud/server Ā· GitHub](https://this issue on GitHub), but apparently, this only fixes an LDAP bug.

I cannot imagine that only a few people have missed this feature so farā€¦ While you can disable the ā€œreset password linkā€ by adding

// https://help.nextcloud.com/t/remove-the-possibility-to-reset-password-for-users/27570/2
  'lost_password_link' => 'disabled',

to your config.php, you can apparently not deactivate the option in the user settings under the ā€œsecurityā€ tab. I hope that there are some plans to add this option to the administrator options, so that an administrator can hide the ā€œChange passwordā€ section from certain users/groups.

I, on the other hand, cannot imagine one single use case, that would justify sharing a password with multiple users, instead of using a dedicated a account for each user, especially if you want to have as much control as possible as an admin.

At first glance, a single account may seem to be easier to manage. But what are you going to do, if a certain user should no longer have access to this account? Then you have to change the password for the account, and have to share the new password with all other users.

ā€¦and, how do you share the password to all these users in a secure way? Let me guess, you donā€™t do it in a secure way, because If creating a few user accounts, setting the quota to zero on these accounts and sharing a folder, already is too much work for you, you will probably send the password via SMS or emailā€¦ wonā€™t you?

Sorry when I appear a bit harsh here. But instead of wishing for features that are generally considered bad practice, you would probably be better off describing your exact use case. Then we could give you tips, on how you could achieve your goal the right way. And no, there is probably no need for SSO and/or LDAP in order to achieve that goal, unless you have hundreds or thousands of users to manage.

1 Like

Hey @bb77, no need to accuse anybody. Iā€™ll try to explain my use case and maybe you can lead me to a better alternative:

Right now, I have one admin user and one ā€œnormal userā€ set up. The Nextcloud instance should serve as a common file storage for a handful of friends, so that we can share documents. We do not need to see who uploaded which document, so I thought one user would be a good fit for us all.

Itā€™s true that this has the restriction of not being able to manage who has still access to the account. But I do not want to withdraw some people the login information anyway.

In this scenario, I just wanted to make sure that nobody ā€œaccidentallyā€ changes the password because the person thinks it is his/her own account. Thatā€™s why Iā€™ve looked for an option to disable ā€œchange passwordā€ form for the user.

I did not get what you mean by ā€œsetting the quota to zero on these accountsā€? Could you elaborate on that please?

Yes I should probably have left out the sentence, sorry for that. However, Iā€™m still convinced that password sharing should be avoided whenever possible.

Tell them not to! :wink:

ā€¦or you could just share a password-protected public link with them, on which no one but you would be able to change the password. But obviously thatā€™s not a good solution either, because it is basically the same concept you are already applying, and except for the password thing, it has the same disadvantages.

The idea is to create individual accounts for each user, and then share a group folder with those users, to which they can upload the files to. If you also set the quota to 0 for these user accounts, they can only use the group folder and cannot create files or folders inside the file structure of their own account.

Doing it with separate user accounts has several advantages:

  • You donā€™t have to send passwords through potentially insecure channels.
  • Users can set / change their passwords themself, in a secure way.
  • Users can use 2FA
  • You have better control over who has access to the files.
  • You would be able to make use of additional collaborative features, when needed.
1 Like

Yes. You can use a public share (edit permission) with password.

This is a share without user but with password nobody can change. I use it, too. Sometimes.

Thanks, thatā€™s a good tip.

The public share also seems like a good option, too. Iā€™ve now come to the conclusion that itā€™d be probably better to create individual user accounts for the handful of people, assign them to a group and install the ā€œGroup folderā€ Nextcloud app to let them share a group folder (only downside: it does not support encryption of files at the moment, but thatā€™s not a ā€œfeatureā€ we need right now).

And of course, this option is way better security-wise than having just one account. The original use case involved a lot more users, so a public share would have been simpler for that, but now I can also just go ahead and create a few accounts :wink:

1 Like