|
Joe, From the ADSI perspective I have
never actually looked into it but I would imagine there is a way to do it since
it eventually boils down to an LDAP call. If I get a chance I will see if
I can find a sample in ADSI or DirectoryServices.NET. Thanks, -Steve From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Hi Steve, Been awhile. That last post did
come across weird. :o) I should have been clear on the DSID and
it changing with binaries if there are line numbering changes in the code, I
didn't think to mention it. Thanks for clarifying. For the most part, the DSIDs
aren't extremely useful unless you have source access. It generally isn't worth
recording DSIDs and mapping them to problems unless you are also including in
that map OS info, at the least version and SP level but hotfixes can throw you
off as well depending on what got touched. Also thanks for the pointer on decoding
that first part of the extended error. I have always wondered what that was but
never made the connection to winerror. Now I need to update my code that dumps
the extended error info in LDAP calls to actually decode that message as well.
It would be useful. Can ADSI be forced to do this op
correctly (i.e. in the correct order)? I can't recall having seen an
example of it. The examples I am aware of are all several steps - set
basic attribs and setinfo(), set password set uac and
setinfo(). I can create an account with LDAP API and give it a password and
have it enabled out of the gate[1] but since I haven't seen ADSI do
it I generally just tell people to do it in a multistep operation as I have no
clue why ADSI didn't do it and would rather avoid that question, much easier.
Too many people using ADSI and also many people don't know if the
tools they are using use ADSI or something else and I would rather avoid all of
it. If ADSI *can* do it in a single step then I can stop telling people to
do multistep ops which in my opinion is much cleaner and faster. Thanks joe [1] In admod you can add a new user to a
K3 domain with password hot and ready to go like this (one line) admod -b
cn=testuser,cn=users,dc=domain,dc=com -add -kerbenc objectclass::user
samaccountname::testuser useraccountcontrol::512 unicodepwd::testpassword
pwdlastset::-1 This won't work in a 2K domain because
admod doesn't support SSL yet. It works for K3 (all) because you don't need SSL
and because I change the order of how the attributes are submitted to the
server. The UAC attribute will always follow the unicodepwd attribute though it
was pure dumb luck versus knowing there was an ordering issue. Had I run into
the ordering issue I would have been pretty confused I expect. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Resending do to a formatting error on my
part, sorry for the duplicate post but it is much easier to read with the lines
wrapped. J -Steve ________________________________________ From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Tuesday, June 28, 2005 11:58 PM Subject: RE: [ActiveDir] Error while adding user to AD Just to add a few more things to the thread. If this is Windows
Server 2003 RTM then you may be hitting a known issue if your provisioning tool
uses LDAP to create the accounts and the attributes are not in a specific
order. Do to a change made in Windows 2003 if you created a user using
LDAP and the unicodepwd attribute was not specified before the
useracountcontrol attribute in your LDAP Modification request and the
useraccountcontrol was not setting the account disabled then we would return
the error that the password did not meet complexity requirements even if the
password did meet the requirements. Since LDAP operations are supposed to
be atomic this behavior was incorrect and a fix was created. This fix is
in Windows Server 2003 SP1 so if you are running into this particular scenario
on Windows Server 2003 RTM and can not go to SP1 then you can call Microsoft
and request the hotfix for KB 891299 (note this KB is currently not
public). I also wanted to point out that the DSID number will not
normally be that helpful to those outside of Microsoft and that the DSID can
have different values across different versions of the binary even if it is
referring to the same error. What can be helpful however is the first
part of the error after the Server_Info tag because it is an error/status
message. In this case using the handy err.exe tool that is available on
the download.microsoft.com site you will find that the error you received is: C:\tools>err 0000052D # for hex 0x52d / decimal 1325 :
ERROR_PASSWORD_RESTRICTION
winerror.h # Unable to update the password. The value provided for the # new password does not meet the length, complexity, or # history requirement of the domain. # 1 matches found for "0000052D" So now that you have read all of this you are saying prove it to me so
here are the repro steps that will produce the above error on Windows Server
2003 RTM (note Windows 2000 server was not affected) and of course if you run
it against Windows Server 2003 SP1 it will be successful: 1) Ensure you have a password policy enabled requiring complexity and
minimum characters. 2) Fire up LDP and connect via SSL to the DC of your choice. 3) Perform a simple bind and then select the User OU of your choice 4) Right click and Select Add child, modifying the DN to be the new
user you want to create 5) Enter the following attributes in this order objectclass: top;user;person;organizationalperson samaccountname: <yourchoice> useraccountcontrol: 512 unicodepwd:\UNI:"<yourpassword>" 6) Select RUN and you will get the error above on a Windows Server 2003
machine. If you set the useraccountcontrol attribute after the unicodepwd
attribute, assuming the password meets the complexity requirements, then it
will succeed without throwing an error. Also note that the quotes are
needed when specifying the password when using the \UNI: switch which tells LDP
to pass the password in Unicode. One provisioning tool that was affected
by this issue was HP Openview Select Identity. Thanks, -Steve -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Monday, June 27, 2005 9:49 PM Subject: Re: [ActiveDir] Error while adding user to AD Thanks a lots Joe. I'll try this out. One more query. After I've changed my password policy, they dont seem
to be reflected immediately. how can i force it? ----- Original Message ----- From: "joe" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Tuesday, June 28, 2005 5:38 AM Subject: RE: [ActiveDir] Error while adding user to AD > That DSID can pop up when an account is improperly created. I.E.
Someone is > trying to set the account enabled in the actual creation of the
account when > there is password length policy. > > If you have a password length policy you need to create the account > disabled, then set a password, then enable it. > > It sounds like the meta directory product doesn't know how to
properly > create an account in AD. > > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar > Sent: Monday, June 27, 2005 7:42 PM > To: [email protected] > Subject: Re: [ActiveDir] Error while adding user to AD > > Active Directory password policy was set as follows: > > Policy Setting > Enforce password history 0 passwords remembered Maximum password
age 999 > days Minimum password age 0 days Minimum password length 8
characters > Password must meet complexity requirements Disabled Store
passwords using > reversible encryption Disabled Provisioning new accounts failed
even though > our passwords are longer than 8 characters. > > When modifying the policy to a minimum length of 0 characters
provisioning > works. > > Any pointers of how this happened? > > Regards, > Mayuresh > > > ----- Original Message ----- > From: "Gil Kirkpatrick" <[EMAIL PROTECTED]> > To: <[email protected]> > Sent: Tuesday, June 28, 2005 4:57 AM > Subject: RE: [ActiveDir] Error while adding user to AD > > > This sort of error happens when the user you are provisioning
doesn't meet > all the policy requirements in AD. Make sure all the required
attributes are > set properly, and make sure that the password assigned to the user
object > meets the current domain complexity requirements. > > -gil > > ________________________________ > > From: [EMAIL PROTECTED] on behalf of Mayuresh Kshirsagar > Sent: Mon 6/27/2005 4:09 PM > To: [email protected] > Subject: [ActiveDir] Error while adding user to AD > > > > Hi, > > I am using a meta directory to provision a new user in AD. But
while adding > the user, I am getting the following error: > > Server_Info='0000052D: SvcErr: DSID-031A0B56, problem 5003 > (WILL_NOT_PERFORM), data 0 > > Can you guide me as to how can I detect and eliminate the cause of
it > please. > > Thanks, > Mayuresh > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/ |
- RE: [ActiveDir] Error while adding user to AD Steve Linehan
