Re: Adam user account : change password

Yes you can. If you are using ADSI then you could modify the sample at

http://msdn.microsoft.com/library/en...r_password.asp

changing the credentials in the OpenDsObject call to be those of the ADAM
principal.
ADAM principals have Change Password permission on the object that
represents them
by default, however see below.

A few points to note:

the ADAM principal will not, by default, be able to bind to the (user)
object that represents them
you will need to grant them that access, depending on how fine-grained you
want access to be
there are a variety of options for doing this.

password operations require a secure channel by default, as you are binding
as an ADAM principal
you will be doing a simple bind and so both the bind and the password
change operation will need
to be performed over SSL

passwords for ADAM principals on ADAM instances on servers in AD domains
are subject to
password complexity restrictions for the domain by default. I have a
problem with this in that I have
never managed to get an ADSI invoke of ChangePassword to work against an
ADAM instance when
password complexity is enabled, you may have better luck.

[If Dmitiri is tuned in I always get "Set password failed with error
8007202F" for ChangePassword
if I have password complexity enabled (SetPassword is OK).]

Hope this helps

Lee Flight


"Gene Vangampelaere" <> wrote in message
news: om...

> Can you bind to ADAM with an ADAM-user
> account and then change the password of that user?

I am tuned in

Lee, what's the extended server error you get when you do ChangePassword?
You might be able to get it with ADsGetLastError. If not, then take a sniff.

--
Dmitri Gavrilov
SDE, Active Directory Core

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"Lee Flight" <-nospam> wrote in message
news:...
> Yes you can. If you are using ADSI then you could modify the sample at
>
>
http://msdn.microsoft.com/library/en...r_password.asp
>
> changing the credentials in the OpenDsObject call to be those of the ADAM
> principal.
> ADAM principals have Change Password permission on the object that
> represents them
> by default, however see below.
>
> A few points to note:
>
> the ADAM principal will not, by default, be able to bind to the (user)
> object that represents them
> you will need to grant them that access, depending on how fine-grained
you
> want access to be
> there are a variety of options for doing this.
>
> password operations require a secure channel by default, as you are
binding
> as an ADAM principal
> you will be doing a simple bind and so both the bind and the password
> change operation will need
> to be performed over SSL
>
> passwords for ADAM principals on ADAM instances on servers in AD domains
> are subject to
> password complexity restrictions for the domain by default. I have a
> problem with this in that I have
> never managed to get an ADSI invoke of ChangePassword to work against an
> ADAM instance when
> password complexity is enabled, you may have better luck.
>
> [If Dmitiri is tuned in I always get "Set password failed with error
> 8007202F" for ChangePassword
> if I have password complexity enabled (SetPassword is OK).]
>
> Hope this helps
>
> Lee Flight
>
>
> "Gene Vangampelaere" <> wrote in message
> news: om...
>
> > Can you bind to ADAM with an ADAM-user
> > account and then change the password of that user?
>
>

"Dmitri Gavrilov [MSFT]" <> wrote in message
news:...
>I am tuned in
>
> Lee, what's the extended server error you get when you do ChangePassword?
> You might be able to get it with ADsGetLastError. If not, then take a
> sniff.

I had to disable the secure channel requirement for passwd ops and take a
sniff, here's
what I get in the modifyResponse

0000052D: AtrErr:
DSID-033806AB, #
1:..0: 0000052D:
DSID-033806AB,
problem 1005 (CO
NSTRAINT_ATT_TYP
E), data 2246, A
tt 9005a (unicodePwd)..


that's on a WinXP SP2 client in a workgroup against ADAM on a W2k3 server
[in a W2K3 (domain/forest functional level) AD] with
ADAMDisablePasswordPolicies=0
on the ADAM instance and dsaVersionString: 1.0.230.36. I do not think the
client is the issue
as running the code on the instance server (localhost) has the same problem.
If I set
ADAMDisablePasswordPolicies=1, ChangePassword completes.

Thanks

Lee Flight

Well, you try too hard

# for decimal 2246 / hex 0x8c6 :
NERR_PasswordTooRecent lmerr.h
# /* The password of this user is too recent to change. */

You are hitting minPwdAge constraint. Apparently it is not enforced for pwd
resets.

--
Dmitri Gavrilov
SDE, Active Directory Core

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"Lee Flight" <-nospam> wrote in message
news:...
>
> "Dmitri Gavrilov [MSFT]" <> wrote in message
> news:...
> >I am tuned in
> >
> > Lee, what's the extended server error you get when you do
ChangePassword?
> > You might be able to get it with ADsGetLastError. If not, then take a
> > sniff.
>
> I had to disable the secure channel requirement for passwd ops and take a
> sniff, here's
> what I get in the modifyResponse
>
> 0000052D: AtrErr:
> DSID-033806AB, #
> 1:..0: 0000052D:
> DSID-033806AB,
> problem 1005 (CO
> NSTRAINT_ATT_TYP
> E), data 2246, A
> tt 9005a (unicodePwd)..
>
>
> that's on a WinXP SP2 client in a workgroup against ADAM on a W2k3 server
> [in a W2K3 (domain/forest functional level) AD] with
> ADAMDisablePasswordPolicies=0
> on the ADAM instance and dsaVersionString: 1.0.230.36. I do not think the
> client is the issue
> as running the code on the instance server (localhost) has the same
problem.
> If I set
> ADAMDisablePasswordPolicies=1, ChangePassword completes.
>
> Thanks
>
> Lee Flight
>
>

Ah! Thanks that explains the problem with the same day provisioning of
visitor accounts
in an ADAM instance failing in the self-service password reset using
ChangePassword.
I will let an account mature and re-test.

So the answer to the original poster's question is an unqualified yes.


Thanks also for the pointer to lmerr.h. I noticed that there is a

NERR_PasswordMustChange /* Password must change at next logon */

if an account was in that state could I detect that using the user's
credentials, i.e.
induce that error code as a response to an attempted LDAP operation or is
that
an error code for another "provider"?

Thanks

Lee Flight

"Dmitri Gavrilov [MSFT]" <> wrote in message
news:OwC%...
> Well, you try too hard
>
> # for decimal 2246 / hex 0x8c6 :
> NERR_PasswordTooRecent lmerr.h
> # /* The password of this user is too recent to change. */
>
> You are hitting minPwdAge constraint. Apparently it is not enforced for
> pwd
> resets.
>
> --
> Dmitri Gavrilov
> SDE, Active Directory Core
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> Use of included script samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm
>
> "Lee Flight" <-nospam> wrote in message
> news:...
>>
>> "Dmitri Gavrilov [MSFT]" <> wrote in message
>> news:...
>> >I am tuned in
>> >
>> > Lee, what's the extended server error you get when you do
> ChangePassword?
>> > You might be able to get it with ADsGetLastError. If not, then take a
>> > sniff.
>>
>> I had to disable the secure channel requirement for passwd ops and take a
>> sniff, here's
>> what I get in the modifyResponse
>>
>> 0000052D: AtrErr:
>> DSID-033806AB, #
>> 1:..0: 0000052D:
>> DSID-033806AB,
>> problem 1005 (CO
>> NSTRAINT_ATT_TYP
>> E), data 2246, A
>> tt 9005a (unicodePwd)..
>>
>>
>> that's on a WinXP SP2 client in a workgroup against ADAM on a W2k3 server
>> [in a W2K3 (domain/forest functional level) AD] with
>> ADAMDisablePasswordPolicies=0
>> on the ADAM instance and dsaVersionString: 1.0.230.36. I do not think the
>> client is the issue
>> as running the code on the instance server (localhost) has the same
> problem.
>> If I set
>> ADAMDisablePasswordPolicies=1, ChangePassword completes.
>>
>> Thanks
>>
>> Lee Flight
>>
>>
>
>

"Lee Flight" <-nospam> wrote in message
news:%...

> I will let an account mature and re-test.

Why wait? I just tried it on an ADAM instance on Windows XP, which of course
does not support password complexity on ADAM principals, and the
ChangePassword
works. [I guess that's one to remember when developing on XP with a view to
moving to
W2K3.]

Lee Flight

You should never get NERR_PasswordMustChange from ADAM. There's no
interactive logon, and ADAM can not force a pwd change on bind. In AD,
there's a userAccountControl flag "user must change pwd on next logon", this
flag controls that error message. In ADAM, we don't have a corresponding
msds-userXXX flag, so you should never get it.

--
Dmitri Gavrilov
SDE, Active Directory Core

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"Lee Flight" <-nospam> wrote in message
news:#...
> Ah! Thanks that explains the problem with the same day provisioning of
> visitor accounts
> in an ADAM instance failing in the self-service password reset using
> ChangePassword.
> I will let an account mature and re-test.
>
> So the answer to the original poster's question is an unqualified yes.
>
>
> Thanks also for the pointer to lmerr.h. I noticed that there is a
>
> NERR_PasswordMustChange /* Password must change at next logon
*/
>
> if an account was in that state could I detect that using the user's
> credentials, i.e.
> induce that error code as a response to an attempted LDAP operation or is
> that
> an error code for another "provider"?
>
> Thanks
>
> Lee Flight
>
> "Dmitri Gavrilov [MSFT]" <> wrote in message
> news:OwC%...
> > Well, you try too hard
> >
> > # for decimal 2246 / hex 0x8c6 :
> > NERR_PasswordTooRecent lmerr.h
> > # /* The password of this user is too recent to change. */
> >
> > You are hitting minPwdAge constraint. Apparently it is not enforced for
> > pwd
> > resets.
> >
> > --
> > Dmitri Gavrilov
> > SDE, Active Directory Core
> >
> > This posting is provided "AS IS" with no warranties, and confers no
> > rights.
> > Use of included script samples are subject to the terms specified at
> > http://www.microsoft.com/info/cpyright.htm
> >
> > "Lee Flight" <-nospam> wrote in message
> > news:...
> >>
> >> "Dmitri Gavrilov [MSFT]" <> wrote in
message
> >> news:...
> >> >I am tuned in
> >> >
> >> > Lee, what's the extended server error you get when you do
> > ChangePassword?
> >> > You might be able to get it with ADsGetLastError. If not, then take a
> >> > sniff.
> >>
> >> I had to disable the secure channel requirement for passwd ops and take
a
> >> sniff, here's
> >> what I get in the modifyResponse
> >>
> >> 0000052D: AtrErr:
> >> DSID-033806AB, #
> >> 1:..0: 0000052D:
> >> DSID-033806AB,
> >> problem 1005 (CO
> >> NSTRAINT_ATT_TYP
> >> E), data 2246, A
> >> tt 9005a (unicodePwd)..
> >>
> >>
> >> that's on a WinXP SP2 client in a workgroup against ADAM on a W2k3
server
> >> [in a W2K3 (domain/forest functional level) AD] with
> >> ADAMDisablePasswordPolicies=0
> >> on the ADAM instance and dsaVersionString: 1.0.230.36. I do not think
the
> >> client is the issue
> >> as running the code on the instance server (localhost) has the same
> > problem.
> >> If I set
> >> ADAMDisablePasswordPolicies=1, ChangePassword completes.
> >>
> >> Thanks
> >>
> >> Lee Flight
> >>
> >>
> >
> >
>
>

Thanks for that, I will go and think about whether we need (domain) password
complexity on our ADAM instance, I have had to override password expiry
already
for an ADAM principal, happily the attribute/flag for doing that does
exist.

Lee Flight

"Dmitri Gavrilov [MSFT]" <> wrote in message
news:%...
> You should never get NERR_PasswordMustChange from ADAM. There's no
> interactive logon, and ADAM can not force a pwd change on bind. In AD,
> there's a userAccountControl flag "user must change pwd on next logon",
> this
> flag controls that error message. In ADAM, we don't have a corresponding
> msds-userXXX flag, so you should never get it.
>
> --
> Dmitri Gavrilov
> SDE, Active Directory Core
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> Use of included script samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm
>
> "Lee Flight" <-nospam> wrote in message
> news:#...
>> Ah! Thanks that explains the problem with the same day provisioning of
>> visitor accounts
>> in an ADAM instance failing in the self-service password reset using
>> ChangePassword.
>> I will let an account mature and re-test.
>>
>> So the answer to the original poster's question is an unqualified yes.
>>
>>
>> Thanks also for the pointer to lmerr.h. I noticed that there is a
>>
>> NERR_PasswordMustChange /* Password must change at next logon
> */
>>
>> if an account was in that state could I detect that using the user's
>> credentials, i.e.
>> induce that error code as a response to an attempted LDAP operation or is
>> that
>> an error code for another "provider"?
>>
>> Thanks
>>
>> Lee Flight
>>
>> "Dmitri Gavrilov [MSFT]" <> wrote in message
>> news:OwC%...
>> > Well, you try too hard
>> >
>> > # for decimal 2246 / hex 0x8c6 :
>> > NERR_PasswordTooRecent lmerr.h
>> > # /* The password of this user is too recent to change. */
>> >
>> > You are hitting minPwdAge constraint. Apparently it is not enforced for
>> > pwd
>> > resets.
>> >
>> > --
>> > Dmitri Gavrilov
>> > SDE, Active Directory Core
>> >
>> > This posting is provided "AS IS" with no warranties, and confers no
>> > rights.
>> > Use of included script samples are subject to the terms specified at
>> > http://www.microsoft.com/info/cpyright.htm
>> >
>> > "Lee Flight" <-nospam> wrote in message
>> > news:...
>> >>
>> >> "Dmitri Gavrilov [MSFT]" <> wrote in
> message
>> >> news:...
>> >> >I am tuned in
>> >> >
>> >> > Lee, what's the extended server error you get when you do
>> > ChangePassword?
>> >> > You might be able to get it with ADsGetLastError. If not, then take
>> >> > a
>> >> > sniff.
>> >>
>> >> I had to disable the secure channel requirement for passwd ops and
>> >> take
> a
>> >> sniff, here's
>> >> what I get in the modifyResponse
>> >>
>> >> 0000052D: AtrErr:
>> >> DSID-033806AB, #
>> >> 1:..0: 0000052D:
>> >> DSID-033806AB,
>> >> problem 1005 (CO
>> >> NSTRAINT_ATT_TYP
>> >> E), data 2246, A
>> >> tt 9005a (unicodePwd)..
>> >>
>> >>
>> >> that's on a WinXP SP2 client in a workgroup against ADAM on a W2k3
> server
>> >> [in a W2K3 (domain/forest functional level) AD] with
>> >> ADAMDisablePasswordPolicies=0
>> >> on the ADAM instance and dsaVersionString: 1.0.230.36. I do not think
> the
>> >> client is the issue
>> >> as running the code on the instance server (localhost) has the same
>> > problem.
>> >> If I set
>> >> ADAMDisablePasswordPolicies=1, ChangePassword completes.
>> >>
>> >> Thanks
>> >>
>> >> Lee Flight
>> >>
>> >>
>> >
>> >
>>
>>
>
>