|
Thanks Steve. I expect the newer Directory Services piece
will do it since it goes straight to LDAP and bypass the ADSI middleman, not
sure on the one that stops and has coffee with ADSI
though. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Wednesday, June 29, 2005 4:06 PM To: [email protected] Subject: RE: [ActiveDir] Error while adding user to AD Joe, From the ADSI
perspective I have never actually looked into it but I would imagine there is a
way to do it since it eventually boils down to an LDAP call. If I get a
chance I will see if I can find a sample in ADSI or
DirectoryServices.NET. Thanks, -Steve From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of joe Hi Steve,
Been awhile. That last
post did come across weird. :o) I should have been
clear on the DSID and it changing with binaries if there are line numbering
changes in the code, I didn't think to mention it. Thanks for clarifying. For
the most part, the DSIDs aren't extremely useful unless you have source access.
It generally isn't worth recording DSIDs and mapping them to problems unless you
are also including in that map OS info, at the least version and SP level but
hotfixes can throw you off as well depending on what got touched.
Also thanks for the
pointer on decoding that first part of the extended error. I have always
wondered what that was but never made the connection to winerror. Now I need to
update my code that dumps the extended error info in LDAP calls to actually
decode that message as well. It would be useful. Can ADSI be forced to
do this op correctly (i.e. in the correct order)? I can't recall
having seen an example of it. The examples I am aware of are
all several steps - set basic attribs and setinfo(), set password
set uac and setinfo(). I can create an account with LDAP API and give it a
password and have it enabled out of the gate[1] but since I haven't seen
ADSI do it I generally just tell people to do it in a multistep operation
as I have no clue why ADSI didn't do it and would rather avoid that question,
much easier. Too many people using ADSI and also many people don't
know if the tools they are using use ADSI or something else and I would rather
avoid all of it. If ADSI *can* do it in a single step then I can stop
telling people to do multistep ops which in my opinion is much cleaner and
faster. Thanks
joe [1] In admod you can
add a new user to a K3 domain with password hot and ready to go like this (one
line) admod -b
cn=testuser,cn=users,dc=domain,dc=com -add -kerbenc objectclass::user
samaccountname::testuser useraccountcontrol::512 unicodepwd::testpassword
pwdlastset::-1 This won't work in a 2K
domain because admod doesn't support SSL yet. It works for K3 (all) because you
don't need SSL and because I change the order of how the attributes are
submitted to the server. The UAC attribute will always follow the unicodepwd
attribute though it was pure dumb luck versus knowing there was an ordering
issue. Had I run into the ordering issue I would have been pretty confused I
expect. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Steve
Linehan Resending do to a
formatting error on my part, sorry for the duplicate post but it is much easier
to read with the lines wrapped. J -Steve ________________________________________ From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve
Linehan Sent: Tuesday, June 28, 2005 11:58
PM Subject: RE: [ActiveDir] Error while adding user to
AD Just to add a few more things to the thread. If
this is Windows Server 2003 RTM then you may be hitting a known issue if your
provisioning tool uses LDAP to create the accounts and the attributes are not in
a specific order. Do to a change made in Windows 2003 if you created a
user using LDAP and the unicodepwd attribute was not specified before the
useracountcontrol attribute in your LDAP Modification request and the
useraccountcontrol was not setting the account disabled then we would return the
error that the password did not meet complexity requirements even if the
password did meet the requirements. Since LDAP operations are supposed to
be atomic this behavior was incorrect and a fix was created. This fix is
in Windows Server 2003 SP1 so if you are running into this particular scenario
on Windows Server 2003 RTM and can not go to SP1 then you can call Microsoft and
request the hotfix for KB 891299 (note this KB is currently not public). I
also wanted to point out that the DSID number will not normally be that helpful
to those outside of Microsoft and that the DSID can have different values across
different versions of the binary even if it is referring to the same
error. What can be helpful however is the first part of the error after
the Server_Info tag because it is an error/status message. In this case
using the handy err.exe tool that is available on the download.microsoft.com
site you will find that the error you received is: C:\tools>err 0000052D # for hex 0x52d / decimal 1325
:
ERROR_PASSWORD_RESTRICTION
winerror.h # Unable to update the password. The value provided for
the # new password does not meet the length, complexity,
or # history requirement of the
domain. # 1 matches found for
"0000052D" So now that you have read all of this you are saying
prove it to me so here are the repro steps that will produce the above error on
Windows Server 2003 RTM (note Windows 2000 server was not affected) and of
course if you run it against Windows Server 2003 SP1 it will be
successful: 1) Ensure you have a password policy enabled requiring
complexity and minimum characters. 2) Fire up LDP and connect via SSL to the DC of your
choice. 3) Perform a simple bind and then select the User OU of
your choice 4) Right click and Select Add child, modifying the DN to
be the new user you want to create 5) Enter the following attributes in this
order objectclass:
top;user;person;organizationalperson samaccountname:
<yourchoice> useraccountcontrol: 512 unicodepwd:\UNI:"<yourpassword>" 6) Select RUN and you will get the error above on a
Windows Server 2003 machine. If you set the useraccountcontrol attribute after the
unicodepwd attribute, assuming the password meets the complexity requirements,
then it will succeed without throwing an error. Also note that the quotes
are needed when specifying the password when using the \UNI: switch which tells
LDP to pass the password in Unicode. One provisioning tool that was
affected by this issue was HP Openview Select
Identity. Thanks, -Steve -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh
Kshirsagar Sent: Monday, June 27, 2005 9:49
PM Subject: Re: [ActiveDir] Error while adding user to
AD Thanks a lots Joe. I'll try this
out. One more query. After I've changed my password policy,
they dont seem to be reflected immediately. how can i force
it? ----- Original Message
----- From: "joe" <[EMAIL
PROTECTED]> To:
<[email protected]> Sent: Tuesday, June 28, 2005 5:38
AM Subject: RE: [ActiveDir] Error while adding user to
AD > That DSID can pop up when an account is improperly
created. I.E. Someone is > trying to set the account enabled in the actual
creation of the account when > there is password length
policy. > > If you have a password length policy you need to
create the account > disabled, then set a password, then enable
it. > > It sounds like the meta directory product doesn't
know how to properly > create an account in
AD. > > > > > > -----Original
Message----- > From: [EMAIL
PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of
Mayuresh Kshirsagar > Sent: Monday, June 27, 2005 7:42
PM > To:
[email protected] > Subject: Re: [ActiveDir] Error while adding user to
AD > > Active Directory password policy was set as
follows: > > Policy Setting > Enforce password history 0 passwords remembered
Maximum password age 999 > days Minimum password age 0 days Minimum password
length 8 characters > Password must meet complexity requirements Disabled
Store passwords using > reversible encryption Disabled Provisioning new
accounts failed even though > our passwords are longer than 8
characters. > > When modifying the policy to a minimum length of 0
characters provisioning > works. > > Any pointers of how this
happened? > > Regards, > Mayuresh > > > ----- Original Message
----- > From: "Gil Kirkpatrick" <[EMAIL
PROTECTED]> > To:
<[email protected]> > Sent: Tuesday, June 28, 2005 4:57
AM > Subject: RE: [ActiveDir] Error while adding user to
AD > > > This sort of error happens when the user you are
provisioning doesn't meet > all the policy requirements in AD. Make sure all
the required attributes are > set properly, and make sure that the password
assigned to the user object > meets the current domain complexity
requirements. > > -gil > >
________________________________ > > From: [EMAIL PROTECTED] on behalf of Mayuresh
Kshirsagar > Sent: Mon 6/27/2005 4:09
PM > To:
[email protected] > Subject: [ActiveDir] Error while adding user to
AD > > > > Hi, > > I am using a meta directory to provision a new user
in AD. But while adding > the user, I am getting the following
error: > > Server_Info='0000052D: SvcErr: DSID-031A0B56,
problem 5003 > (WILL_NOT_PERFORM), data
0 > > Can you guide me as to how can I detect and
eliminate the cause of it > please. > > Thanks, > Mayuresh > > List info :
http://www.activedir.org/List.aspx > List FAQ :
http://www.activedir.org/ListFAQ.aspx > List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info :
http://www.activedir.org/List.aspx > List FAQ :
http://www.activedir.org/ListFAQ.aspx > List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info :
http://www.activedir.org/List.aspx > List FAQ :
http://www.activedir.org/ListFAQ.aspx > List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/ List info :
http://www.activedir.org/List.aspx List FAQ :
http://www.activedir.org/ListFAQ.aspx List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/ List info :
http://www.activedir.org/List.aspx List FAQ :
http://www.activedir.org/ListFAQ.aspx List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/ |
