|
Resending do to a formatting error on my
part, sorry for the duplicate post but it is much easier to read with the lines
wrapped. J -Steve ________________________________________ From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Tuesday, June 28, 2005 11:58 PM Subject: RE: [ActiveDir] Error while adding user to AD Just to add a few more things to the thread. If this is Windows
Server 2003 RTM then you may be hitting a known issue if your provisioning tool
uses LDAP to create the accounts and the attributes are not in a specific
order. Do to a change made in Windows 2003 if you created a user using
LDAP and the unicodepwd attribute was not specified before the
useracountcontrol attribute in your LDAP Modification request and the useraccountcontrol
was not setting the account disabled then we would return the error that the
password did not meet complexity requirements even if the password did meet the
requirements. Since LDAP operations are supposed to be atomic this
behavior was incorrect and a fix was created. This fix is in Windows
Server 2003 SP1 so if you are running into this particular scenario on Windows
Server 2003 RTM and can not go to SP1 then you can call Microsoft and request
the hotfix for KB 891299 (note this KB is currently not public). I also
wanted to point out that the DSID number will not normally be that helpful to
those outside of Microsoft and that the DSID can have different values across
different versions of the binary even if it is referring to the same error.
What can be helpful however is the first part of the error after the
Server_Info tag because it is an error/status message. In this case using
the handy err.exe tool that is available on the download.microsoft.com site you
will find that the error you received is: C:\tools>err 0000052D # for hex 0x52d / decimal 1325 :
ERROR_PASSWORD_RESTRICTION
winerror.h # Unable to update the password. The value provided for the # new password does not meet the length, complexity, or # history requirement of the domain. # 1 matches found for "0000052D" So now that you have read all of this you are saying prove it to me so
here are the repro steps that will produce the above error on Windows Server
2003 RTM (note Windows 2000 server was not affected) and of course if you run
it against Windows Server 2003 SP1 it will be successful: 1) Ensure you have a password policy enabled requiring complexity and
minimum characters. 2) Fire up LDP and connect via SSL to the DC of your choice. 3) Perform a simple bind and then select the User OU of your choice 4) Right click and Select Add child, modifying the DN to be the new
user you want to create 5) Enter the following attributes in this order objectclass: top;user;person;organizationalperson samaccountname: <yourchoice> useraccountcontrol: 512 unicodepwd:\UNI:"<yourpassword>" 6) Select RUN and you will get the error above on a Windows Server 2003
machine. If you set the useraccountcontrol attribute after the unicodepwd
attribute, assuming the password meets the complexity requirements, then it
will succeed without throwing an error. Also note that the quotes are
needed when specifying the password when using the \UNI: switch which tells LDP
to pass the password in Unicode. One provisioning tool that was affected
by this issue was HP Openview Select Identity. Thanks, -Steve -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Monday, June 27, 2005 9:49 PM Subject: Re: [ActiveDir] Error while adding user to AD Thanks a lots Joe. I'll try this out. One more query. After I've changed my password policy, they dont seem
to be reflected immediately. how can i force it? ----- Original Message ----- From: "joe" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Tuesday, June 28, 2005 5:38 AM Subject: RE: [ActiveDir] Error while adding user to AD > That DSID can pop up when an account is improperly created. I.E.
Someone is > trying to set the account enabled in the actual creation of the
account when > there is password length policy. > > If you have a password length policy you need to create the
account > disabled, then set a password, then enable it. > > It sounds like the meta directory product doesn't know how to
properly > create an account in AD. > > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar > Sent: Monday, June 27, 2005 7:42 PM > To: [email protected] > Subject: Re: [ActiveDir] Error while adding user to AD > > Active Directory password policy was set as follows: > > Policy Setting > Enforce password history 0 passwords remembered Maximum password
age 999 > days Minimum password age 0 days Minimum password length 8
characters > Password must meet complexity requirements Disabled Store
passwords using > reversible encryption Disabled Provisioning new accounts failed
even though > our passwords are longer than 8 characters. > > When modifying the policy to a minimum length of 0 characters
provisioning > works. > > Any pointers of how this happened? > > Regards, > Mayuresh > > > ----- Original Message ----- > From: "Gil Kirkpatrick" <[EMAIL PROTECTED]> > To: <[email protected]> > Sent: Tuesday, June 28, 2005 4:57 AM > Subject: RE: [ActiveDir] Error while adding user to AD > > > This sort of error happens when the user you are provisioning
doesn't meet > all the policy requirements in AD. Make sure all the required
attributes are > set properly, and make sure that the password assigned to the user
object > meets the current domain complexity requirements. > > -gil > > ________________________________ > > From: [EMAIL PROTECTED] on behalf of Mayuresh Kshirsagar > Sent: Mon 6/27/2005 4:09 PM > To: [email protected] > Subject: [ActiveDir] Error while adding user to AD > > > > Hi, > > I am using a meta directory to provision a new user in AD. But
while adding > the user, I am getting the following error: > > Server_Info='0000052D: SvcErr: DSID-031A0B56, problem 5003 > (WILL_NOT_PERFORM), data 0 > > Can you guide me as to how can I detect and eliminate the cause of
it > please. > > Thanks, > Mayuresh > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/ |
- RE: [ActiveDir] Error while adding user to AD Steve Linehan
