Preventing user password change in webmail

PeteS

Well-Known Member
Jun 8, 2017
390
88
78
Oregon
cPanel Access Level
Root Administrator
There are several threads that seem to indicate that the feature set for a cPanel account controls which options (including changing user password) the user has via the webmail interface. But this is not entirely true...

Turning off Autoresponders or Forwarders in the feature set for a cPanel account removes them or turns then off in cPanal and the webmail interface. (Works as expected.)

BUT... deselecting Password & Security removes it from cPanel's interface, while leaving it active in webmail's interface! Deselecting it in the default feature set, and selecting it in the disabled feature set still does not remove it from the webmail interface.

Additionally, there is a work-around (bug?) for changing user passwords (other than the main cPanel user). It is possible in cPanel, under Email Accounts, and also under User Manager (which cannot be turned off in the feature set) to change a user password. It's like this ONLY possible to prevent a cPanel account password change but not prevent other user password changes.

It makes sense that a cPanel user should be able to change email passwords in their account, but how do we prevent users from changing their own in webmail?

What am I missing?

-Pete
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,267
463
Hello Pete,

BUT... deselecting Password & Security removes it from cPanel's interface, while leaving it active in webmail's interface! Deselecting it in the default feature set, and selecting it in the disabled feature set still does not remove it from the webmail interface.
I've been unable to reproduce this behavior. Disabling the "Password and Security" feature removes the option to change the cPanel account username's password via cPanel >> User Prereferences, cPanel >> User Manager, and upon logging in to Webmail using the the cPanel username.

Are you referring to the individual email accounts as opposed to the cPanel account username. If so, it's by design that the "Password and Security" feature applies to the cPanel username itself and not the individual email accounts.

To clarify, are you looking for a way to prevent individual email account users from changing their passwords using Webmail? If so, that's not possible at this time. I encourage you to vote and add feedback to the following feature request if that's something you'd like to control:

Make webmail user settings menu customizable to remove features

Note that one option you can control is the ability to allow subaccount users to reset their password via email if they forget their password. The option is found under the System tab in WHM >> Tweak Settings:

Reset Password for Subaccounts

It won't stop them from changing their password if they already know the current password, but it does prevent them from resetting the password when they don't know the current password.

Thank you.
 

PeteS

Well-Known Member
Jun 8, 2017
390
88
78
Oregon
cPanel Access Level
Root Administrator
Sorry, this got dropped. Thanks for the info, and the feature link.

I do feel that limiting password changes by subaccounts (email users in this case) should be able to be limited, as forward and autoresponder creation is not. :)

-Pete
 
  • Like
Reactions: cPanelMichael