Re: Adam user account : change password

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Dmitri Gavrilov [MSFT] (dmitrig_at_online.microsoft.com)
Date: 09/04/04

Next message: Gordon J. Rattray: "gpupdate /force requires reboot?"
Previous message: Ulf B. Simon-Weidner [MVP]: "Re: DS Commands Question"
In reply to: Lee Flight: "Re: Adam user account : change password"
Next in thread: Lee Flight: "Re: Adam user account : change password"
Reply: Lee Flight: "Re: Adam user account : change password"
Messages sorted by: [ date ] [ thread ]

Date: Sat, 4 Sep 2004 15:57:08 -0600

You should never get NERR_PasswordMustChange from ADAM. There's no
interactive logon, and ADAM can not force a pwd change on bind. In AD,
there's a userAccountControl flag "user must change pwd on next logon", this
flag controls that error message. In ADAM, we don't have a corresponding
msds-userXXX flag, so you should never get it.

-- 
Dmitri Gavrilov
SDE, Active Directory Core
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"Lee Flight" <lef@le.ac.uk-nospam> wrote in message
news:#JSTUbhkEHA.2864@TK2MSFTNGP14.phx.gbl...
> Ah! Thanks that explains the problem with the same day provisioning of
> visitor accounts
> in an ADAM instance failing in the self-service password reset using
> ChangePassword.
> I will let an account mature and re-test.
>
> So the answer to the original poster's question is an unqualified yes.
>
>
> Thanks also for the pointer to lmerr.h. I noticed that there is a
>
> NERR_PasswordMustChange            /* Password must change at next logon
*/
>
> if an account was in that state could I detect that using the user's
> credentials, i.e.
> induce that error code as a response to an attempted LDAP operation or is
> that
> an error code for another "provider"?
>
> Thanks
>
> Lee Flight
>
> "Dmitri Gavrilov [MSFT]" <dmitrig@online.microsoft.com> wrote in message
> news:OwC%23x7gkEHA.3392@TK2MSFTNGP15.phx.gbl...
> > Well, you try too hard :)
> >
> > # for decimal 2246 / hex 0x8c6 :
> >  NERR_PasswordTooRecent                                        lmerr.h
> > # /* The password of this user is too recent to change.  */
> >
> > You are hitting minPwdAge constraint. Apparently it is not enforced for
> > pwd
> > resets.
> >
> > -- 
> > Dmitri Gavrilov
> > SDE, Active Directory Core
> >
> > This posting is provided "AS IS" with no warranties, and confers no
> > rights.
> > Use of included script samples are subject to the terms specified at
> > http://www.microsoft.com/info/cpyright.htm
> >
> > "Lee Flight" <lef@le.ac.uk-nospam> wrote in message
> > news:ubUegUgkEHA.3428@TK2MSFTNGP11.phx.gbl...
> >>
> >> "Dmitri Gavrilov [MSFT]" <dmitrig@online.microsoft.com> wrote in
message
> >> news:eyMpNpekEHA.1404@TK2MSFTNGP09.phx.gbl...
> >> >I am tuned in :)
> >> >
> >> > Lee, what's the extended server error you get when you do
> > ChangePassword?
> >> > You might be able to get it with ADsGetLastError. If not, then take a
> >> > sniff.
> >>
> >> I had to disable the secure channel requirement for passwd ops and take
a
> >> sniff, here's
> >> what I get in the modifyResponse
> >>
> >> 0000052D: AtrErr:
> >> DSID-033806AB, #
> >> 1:..0: 0000052D:
> >> DSID-033806AB,
> >> problem 1005 (CO
> >> NSTRAINT_ATT_TYP
> >> E), data 2246, A
> >> tt 9005a (unicodePwd)..
> >>
> >>
> >> that's on a WinXP SP2 client in a workgroup against ADAM on a W2k3
server
> >> [in a W2K3 (domain/forest functional level) AD] with
> >> ADAMDisablePasswordPolicies=0
> >> on the ADAM instance and dsaVersionString: 1.0.230.36. I do not think
the
> >> client is the issue
> >> as running the code on the instance server (localhost) has the same
> > problem.
> >> If I set
> >> ADAMDisablePasswordPolicies=1, ChangePassword completes.
> >>
> >> Thanks
> >>
> >> Lee Flight
> >>
> >>
> >
> >
>
>

Next message: Gordon J. Rattray: "gpupdate /force requires reboot?"
Previous message: Ulf B. Simon-Weidner [MVP]: "Re: DS Commands Question"
In reply to: Lee Flight: "Re: Adam user account : change password"
Next in thread: Lee Flight: "Re: Adam user account : change password"
Reply: Lee Flight: "Re: Adam user account : change password"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

Re: Using ADSIedit to set an ADAM users password
... I think I've tried to get "ChangePassword" functionality ... > lot from the API accessibility standpoint. ... > The larger issue for user object extensibility in ADAM and bind support ... >> SDE, Active Directory Core ...
(microsoft.public.windows.server.active_directory)
Re: Using ADSIedit to set an ADAM users password
... ChangePassword operation. ... they had to add these strange SetOption calls to make it work for ADAM. ... > Thanks for your thoughts on this, your rationale for unicodePwd ... > W2K assuming that MS will switch to promoting userPassword ...
(microsoft.public.windows.server.active_directory)
Re: Mixing authentication type flags & By design Bug from MS ?
... the SetPassword or ChangePassword is done ... Secure only won't encrypt data, ... add the Delegation flag to your AuthenticationTypes. ... >> public static DirectoryEntry SecureConnectDC(string adsPath, string usr, ...
(microsoft.public.dotnet.security)
Re: Authenticating ADAM user
... which does not comply with the default pwd policy. ... Otherwise, ADSI will do a secure ldap bind, and ADAM will forward ... >> auth request to windows. ... >> SDE, Active Directory Core ...
(microsoft.public.windows.server.active_directory)
Re: Using ADSIedit to set an ADAM users password
... This is a good point about ChangePassword and the operations needed to make ... it work in ADSI. ... I think you really do need to create the proper LDAP mod ops to do this. ... The larger issue for user object extensibility in ADAM and bind support does ...
(microsoft.public.windows.server.active_directory)