Re: Can't change passwd in AD 2008 R2

Thu, 28 Apr 2011 13:11:08 -0700 

Also, this works when I do the password change as the AD admin, but not
as a normal user, so I think it's either a permission problem on the AD
server, or MS changed the method of changing the password for non-admins
("self").

On 04/28/2011 04:00 PM, Dan Cutler wrote:
> Prentice,
> 
> Try using LDAPS.  The setup for this isn't terribly easy but once you've got 
> the keys in place, AD seems more friendly.
> 
> From my understanding AD will only let you make "security related" changes 
> over secured (encrypted) connections (-Z) switch below...
> 
> ie: ldapmodify  -c -x -D "CN=ldap 
> Admin,OU=ServiceAccounts,DC=mycompany,DC=com" -w 'supersecretpw' -f 
> new_users_pw.ldif  -H ldaps://dc01.mycompany.com -Z
> 
> I typically write perl code to create LDIF files, then use "ldappmodify" with 
> wire encryption.
> 
> If I don't use encryption, AD rejects all security related changes.
> 
> Hope that helps.
> 
> --Dan
> 
> -----Original Message-----
> From: Prentice Bisbal [mailto:prent...@ias.edu] 
> Sent: Thursday, April 28, 2011 3:07 PM
> To: perl-ldap@perl.org
> Subject: Can't change passwd in AD 2008 R2
> 
> We recently updated our Active Directory servers to 2008 R2. I had a
> perl script that would change a users password in OpenLDAP and Active
> Directory at the same time. This was working fine until the update. I
> can still change a user's password when I bind as an AD administrator,
> but not as a normal user. Has anyone else here gone through this?
> 
> I know the that behavior or replacing a password is different whether
> you are an administrator or regular user changing your own password, as
> documented here:
> 
> http://support.microsoft.com/?kbid=269190
> 
> I wrote this code based on the above link:
> 
> # AD doesn't allow non-admin users to replace their password.
> # Instead, it must be deleted and re-added. Administrators can only
> # replace a password.
> if ($username ne getlogin()) {
>     $mesg = $ad->modify($ad_user_dn, replace=>{unicodePwd =>
> $newUnicodePwd} );
> } else {
>     $mesg = $ad->modify($ad_user_dn, delete=>{unicodePwd =>
> $newUnicodePwd});
>     $code = $mesg->code;
>     if ($code != 0) {
>       $mesg = $ad->modify($ad_user_dn, replace=>{unicodePwd =>
> $newUnicodePwd} );
>     }
> }
> 
> This worked for just fine until the upgrade to 2008 R2. Any ideas?
> 

--

Reply via email to