Re: Setting Passwords via DSML with non-admin type Domain User Cre
From: Marvin Bobo (marvinb_at_community.nospam)
Date: 05/25/05
- Next message: Joe Kaplan \(MVP - ADSI\): "Re: Setting Passwords via DSML with non-admin type Domain User Cre"
- Previous message: frank.thiry_at_gmail.com: "LsaRegisterLogonProcess : Access denied"
- In reply to: Joe Kaplan \(MVP - ADSI\): "Re: Setting Passwords via DSML with non-admin type Domain User Credent"
- Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: Setting Passwords via DSML with non-admin type Domain User Cre"
- Reply: Joe Kaplan \(MVP - ADSI\): "Re: Setting Passwords via DSML with non-admin type Domain User Cre"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 25 May 2005 12:31:01 -0700
My apologies, code would help but I am not sure how to do the remove op in
DSML. What is happening is we have an external system that will "create" the
password and this is transferred to Active Directory in support of a
proprietary application. Therefore the unicodePwd field is being modified.
What I am not sure of is how to "remove" the unicodePwd attribute and then
set it. Here is the batch request (in DSML) which works under administrator
level but not doing the suggestion in your original post.
<se:Envelope xmlns:se="http://schemas.xmlsoap.org/soap/envelope/">
<se:Body xmlns="urn:oasis:names:tc:DSML:2:0:core">
<batchRequest xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<modifyRequest dn="cn=test,ou=testou,DC=TFODev,DC=local">
<modification name="unicodePwd" operation="replace">
<value
xsi:type="xsd:base64Binary">IgBuAGUAdwBQAGEAcwBzAHcAbwByAGQAIgA=</value>
</modification>
</modifyRequest>
</batchRequest>
</se:Body>
</se:Envelope>
"Joe Kaplan (MVP - ADSI)" wrote:
> It isn't easy finding any help for DSML as it is not very well used. I
> actually know almost nothing about it.
>
> Based on the previous post that you referred to (which I guess I wrote :)),
> I want to ask if you are doing the remove and add mod op instead of the
> replace. If you show your code, that might help (although I know neither
> DSML or PERL very well, I should be able to figure it out, especially if you
> post both versions).
>
> If you try to do a set password (just an LDAP replace), you'll probably have
> a permissions problem because normal users don't have rights to reset
> passwords, only to change their own.
>
> HTH,
>
> Joe K.
> "Marvin Bobo" <marvinb@community.nospam> wrote in message
> news:FC83C34F-44F5-4108-A60A-DF55EFB0F7BF@microsoft.com...
> > When I execute the DSML request to change the password as Admin, works ok.
> > When I execute as the domain user, fails with "HTTP Error 401.3 -
> > Unauthorized: Access is denied due to an ACL set on the requested
> > resource".
> > I have set the specific user to full control on the ou and container for
> > the
> > user. The domain user logging on is changing its own account.
> >
> > Here is a post that is related to what I need to do but this is with LDAPs
> > using Perl scripts:
> >
> > http://msdn.microsoft.com/newsgroups/managed/Default.aspx?dg=microsoft.public.active.directory.interfaces&mid=8461ad71-02a4-4759-8812-b0494e900898&sloc=en-us
>
>
>
- Next message: Joe Kaplan \(MVP - ADSI\): "Re: Setting Passwords via DSML with non-admin type Domain User Cre"
- Previous message: frank.thiry_at_gmail.com: "LsaRegisterLogonProcess : Access denied"
- In reply to: Joe Kaplan \(MVP - ADSI\): "Re: Setting Passwords via DSML with non-admin type Domain User Credent"
- Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: Setting Passwords via DSML with non-admin type Domain User Cre"
- Reply: Joe Kaplan \(MVP - ADSI\): "Re: Setting Passwords via DSML with non-admin type Domain User Cre"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
