Re: Modify UserPassword attribute in ADAM

From: Eric Fleischman [MSFT] (efleis_at_online.microsoft.com)
Date: 05/03/04 

Date: Mon, 3 May 2004 10:20:34 -0500

> - How i disable this security requirement ? I try to do it for my test
> adam
> server ! (it's' important for my test)

I'll say it once more to make me feel better: I'd rather you go over a
secure connection. ;)
That said, using adsiedit or ldp, go ahead and connect to the configuration
container of your instance.
Navigate to the object: cn=directory service,cn=Windows
NT,CN=Services,CN=Configuration,cn={guid}.
On Directory Service, go ahead and modify the attribute dsHeuristics. You
can set the 13th bit to 1 (I said 12th before, but that is 12th when indexed
at 0). This is covered in the docs I believe. Search them on dsHeuristics
and see where it talks about this, it should be there somewhere.

> - After the test if i want use ssl over ldap i must install a windows CA
> and
> generate a certificate ?

Not really. It could be a 3rd party cert. But a cert that is from a trusted
root. 

-- 
Eric Fleischman [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
<io.com> wrote in message news:ekjMo%23OMEHA.1192@TK2MSFTNGP11.phx.gbl...
> Eric thaks for response, i have a last two question :
>
> - How i disable this security requirement ? I try to do it for my test 
> adam
> server ! (it's' important for my test)
>
> - After the test if i want use ssl over ldap i must install a windows CA 
> and
> generate a certificate ?
>
> Thanks in advance.
>
>
> "Eric Fleischman [MSFT]" <efleis@online.microsoft.com> wrote in message
> news:OgTDPOKMEHA.3348@TK2MSFTNGP09.phx.gbl...
>> 8237 = ERROR_DS_CONFIDENTIALITY_REQUIRED
>>
>> The issue is that you are performing this over a non-secure channel. With
>> default settings we require that you perform password operations over a
>> secure channel (either ssl or using ldap_opt_encrypt).
>>
>> If you search help for "To set or modify the password of an ADAM user" 
>> you
>> should get some information on this.
>> Your choices here are:
>> 0) Perform over SSL connection
>> 1) Use ldap_opt_encrypt to secure the connection
>> 2) Disable this security requirement (via the 12th bit of dsHeuristics)
>>
>> My personal recomendation is doing either 0 or 1 as that is more secure.
>> Help talks about how to do them.
>> If you do want to disable the requirement I can help you with that, but
> I'd
>> strongly encourage you to not do that for security reasons.
>>
>> ~Eric
>>
>> -- 
>> Eric Fleischman [MSFT]
>> This posting is provided "AS IS" with no warranties, and confers no 
>> rights
>> Use of included script samples are subject to the terms specified at
>> http://www.microsoft.com/info/cpyright.htm
>>
>>
>> <io.com> wrote in message news:e5iz$1IMEHA.2244@tk2msftngp13.phx.gbl...
>> > Hi,
>> >
>> > i have a instace of ADAM on Windows 2003 DC ; i have created one adam
>> > account (adam-admin) and have join this accont to administrators group
>> > with
>> > ADSI Edit.
>> >
>> > The problem is :
>> >
>> > after binding my ADAM istance with my account adam-admin using ldp.exe
>> > when
>> > i try to modfied a UserPassword for another account the operaton failed
>> > and
>> > this error appared :
>> >
>> > Error: Modify: Operations Error. <1>
>> > Server error: 00002077: SvcErr: DSID-033805FE, problem 5012 
>> > (DIR_ERROR),
>> > data 8237
>> >
>> > Error 0x2077 Illegal modify operation. Some aspect of the modification
> is
>> > not permitted.
>> >
>> > If i try to change another attribute for the same accout the operation
>> > succef
>> >
>> > The question is : why with a my "adam-admin" account member of adam
>> > administrators if i try to change a password the operation failed ?
>> > How i perform this operation with my "adam-admin" account ?
>> >
>> > Note:
>> > Must use a DSACLS to perform tis operation ? If yes how i use DSACLS
> with
>> > who option ?
>> >
>> >
>> > thanks in advance.
>> >
>> >
>> >
>>
>>
>
>

Relevant Pages

  • Re: Disable an ADAM account, but it is still can logon
    ... connection will be authenticated forever, ... >>when we try to disable an ADAM account, after we disable an ADAM account, ... >>cache, it is useless. ...
    (microsoft.public.windows.server.active_directory)
  • Shed quote maybe than twist with Nellys orthodox jam.
    ... They are terming relative to the examination now, won't secure ... Just recruiting round a consumption despite the archive is too ... Let's may in connection with the gradual labs, ... Satam will across claim them on you. ...
    (sci.crypt)
  • Re: Please help us with a fraud situation
    ... You won't have a 100% secure connection. ... I don't think you loose your informations only on the internet connection. ... Dont open attachments or emails from anyone you dont know ...
    (comp.security.firewalls)
  • Re: Ping Dr Who
    ... :I am able to use your advice and make secure connection to easynews on ... How do you know your connection to Cotse is secure? ... For total security you should use Tor to access Cotse. ...
    (alt.privacy)
  • Re: Desparate in SF: ADAM on XP Laptop in Workgroup
    ... Established connection to. ... Server error: <empty> ... Search ADAM help file for "forceguest" and set the corresponding ...
    (microsoft.public.windows.server.active_directory)