Not allow user to change password

I’m on 18.0.3

I don’t want that users not in admin group are able to change their password

Please tell me HowTo

1 Like

Afaik this is not possible by design. I found the following discussion about this function:

If you only want to disable the reset password function, this might be a solution:

I have the same issue. From the discussion, it looks like this is not possible in Nextcloud.

So this is not a bug. Its a “feature” with no workaround.

Starting with v.19 Nextcloud has improved password rules enforcement

image

What else could be the reason to deny users the ability to change their passwords?

The Nextcloud application is not always the center of the world. There may be a higher level application (other than single sign-on) that manages user accounts across multiple applications.

Can you elaborate on that?

You can implement SSO and use, for example, LDAP users.
With latter, you CAN prevent users from changing passwords. That’s by default!
https://docs.nextcloud.com/server/19/admin_manual/configuration_user/user_auth_ldap.html

I may end up having to use LDAP or another SSO application to get around this issue. Using SSO in this problem space is a bit like “using a sledge hammer to swat a fly”. IMHO, most Nextcloud administrators do not have the time or skills required to implement such a solution.
What I believe Witzker is looking for is a simple way to create a “walled garden” for the users of the Nextcloud system he administers. He wants the administrator to be in charge of managing user accounts on Nextcloud installation. Using SSO for this type of functionality is extremely difficult for the average administrator.

Perhaps you can change the password rules in the way that users are not able to find correct passwords. 100 or more chars if nextcloud allows it?

LDAP is very easy to implement (for example, if you already have a Windows DC around).
It isn’t really SSO, just an external user directory…

SSO is a different beast… Even the NC documentation on it is “enterprise support” level…

Are there any updates on this? @brucet, you exactly describe my use case. I don’t want to deal with LDAP or SSO, just deactivate the “password change” option for users, in order to create kind of a “walled garden” for them (e.g. multiple users logging in using just one account in a very simple case).

I’ve found [Enable/Disable users to change their password · Issue #12671 · nextcloud/server · GitHub](https://this issue on GitHub), but apparently, this only fixes an LDAP bug.

I cannot imagine that only a few people have missed this feature so far… While you can disable the “reset password link” by adding

// https://help.nextcloud.com/t/remove-the-possibility-to-reset-password-for-users/27570/2
  'lost_password_link' => 'disabled',

to your config.php, you can apparently not deactivate the option in the user settings under the “security” tab. I hope that there are some plans to add this option to the administrator options, so that an administrator can hide the “Change password” section from certain users/groups.

I, on the other hand, cannot imagine one single use case, that would justify sharing a password with multiple users, instead of using a dedicated a account for each user, especially if you want to have as much control as possible as an admin.

At first glance, a single account may seem to be easier to manage. But what are you going to do, if a certain user should no longer have access to this account? Then you have to change the password for the account, and have to share the new password with all other users.

…and, how do you share the password to all these users in a secure way? Let me guess, you don’t do it in a secure way, because If creating a few user accounts, setting the quota to zero on these accounts and sharing a folder, already is too much work for you, you will probably send the password via SMS or email… won’t you?

Sorry when I appear a bit harsh here. But instead of wishing for features that are generally considered bad practice, you would probably be better off describing your exact use case. Then we could give you tips, on how you could achieve your goal the right way. And no, there is probably no need for SSO and/or LDAP in order to achieve that goal, unless you have hundreds or thousands of users to manage.

1 Like

Hey @bb77, no need to accuse anybody. I’ll try to explain my use case and maybe you can lead me to a better alternative:

Right now, I have one admin user and one “normal user” set up. The Nextcloud instance should serve as a common file storage for a handful of friends, so that we can share documents. We do not need to see who uploaded which document, so I thought one user would be a good fit for us all.

It’s true that this has the restriction of not being able to manage who has still access to the account. But I do not want to withdraw some people the login information anyway.

In this scenario, I just wanted to make sure that nobody “accidentally” changes the password because the person thinks it is his/her own account. That’s why I’ve looked for an option to disable “change password” form for the user.

I did not get what you mean by “setting the quota to zero on these accounts”? Could you elaborate on that please?

Yes I should probably have left out the sentence, sorry for that. However, I’m still convinced that password sharing should be avoided whenever possible.

Tell them not to! :wink:

…or you could just share a password-protected public link with them, on which no one but you would be able to change the password. But obviously that’s not a good solution either, because it is basically the same concept you are already applying, and except for the password thing, it has the same disadvantages.

The idea is to create individual accounts for each user, and then share a group folder with those users, to which they can upload the files to. If you also set the quota to 0 for these user accounts, they can only use the group folder and cannot create files or folders inside the file structure of their own account.

Doing it with separate user accounts has several advantages:

  • You don’t have to send passwords through potentially insecure channels.
  • Users can set / change their passwords themself, in a secure way.
  • Users can use 2FA
  • You have better control over who has access to the files.
  • You would be able to make use of additional collaborative features, when needed.
1 Like

Yes. You can use a public share (edit permission) with password.

This is a share without user but with password nobody can change. I use it, too. Sometimes.

Thanks, that’s a good tip.

The public share also seems like a good option, too. I’ve now come to the conclusion that it’d be probably better to create individual user accounts for the handful of people, assign them to a group and install the “Group folder” Nextcloud app to let them share a group folder (only downside: it does not support encryption of files at the moment, but that’s not a “feature” we need right now).

And of course, this option is way better security-wise than having just one account. The original use case involved a lot more users, so a public share would have been simpler for that, but now I can also just go ahead and create a few accounts :wink:

1 Like