Re: Setting Passwords via DSML with non-admin type Domain User Cre

From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 05/25/05

  • Next message: Marvin Bobo: "Re: Setting Passwords via DSML with non-admin type Domain User Cre" 
    Date: Wed, 25 May 2005 16:36:34 -0500

    Ok, so in this case you are just doing an LDAP replace operation. That is
    essentially the AD equivalent of Reset Password when modifying unicodePwd.
    This is done by administrators when creating an account with an initial
    password or doing an administrative reset when the user forgets.

    To do a change password, you do two mod ops, a "delete" and an "add",
    although I'm not sure what the DSML for this is. You delete the old
    password value and add the new one. You need the old password to do this.
    I assume DSML lets you do a batch of modifications in a single operation.

    Generally, normal users have rights to change their own password but cannot
    set the password for anyone. Admins can set the password for anyone and can
    change their own, but can't change a normal user's password.

    So, I think it might depend on what you are trying to do here. If the goal
    is for end user password change, then you can do that, but you need the old
    password.
    "Marvin Bobo" <marvinb@community.nospam> wrote in message
    news:556AE95B-B6F6-49FD-A058-10D2087853D4@microsoft.com...
    > My apologies, code would help but I am not sure how to do the remove op in
    > DSML. What is happening is we have an external system that will "create"
    > the
    > password and this is transferred to Active Directory in support of a
    > proprietary application. Therefore the unicodePwd field is being
    > modified.
    > What I am not sure of is how to "remove" the unicodePwd attribute and then
    > set it. Here is the batch request (in DSML) which works under
    > administrator
    > level but not doing the suggestion in your original post.
    >
    > <se:Envelope xmlns:se="http://schemas.xmlsoap.org/soap/envelope/">
    > <se:Body xmlns="urn:oasis:names:tc:DSML:2:0:core">
    > <batchRequest xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    > xmlns:xsd="http://www.w3.org/2001/XMLSchema">
    > <modifyRequest dn="cn=test,ou=testou,DC=TFODev,DC=local">
    > <modification name="unicodePwd" operation="replace">
    > <value
    > xsi:type="xsd:base64Binary">IgBuAGUAdwBQAGEAcwBzAHcAbwByAGQAIgA=</value>
    > </modification>
    > </modifyRequest>
    > </batchRequest>
    > </se:Body>
    > </se:Envelope>
    >
    > "Joe Kaplan (MVP - ADSI)" wrote:
    >
    >> It isn't easy finding any help for DSML as it is not very well used. I
    >> actually know almost nothing about it.
    >>
    >> Based on the previous post that you referred to (which I guess I wrote
    >> :)),
    >> I want to ask if you are doing the remove and add mod op instead of the
    >> replace. If you show your code, that might help (although I know neither
    >> DSML or PERL very well, I should be able to figure it out, especially if
    >> you
    >> post both versions).
    >>
    >> If you try to do a set password (just an LDAP replace), you'll probably
    >> have
    >> a permissions problem because normal users don't have rights to reset
    >> passwords, only to change their own.
    >>
    >> HTH,
    >>
    >> Joe K.
    >> "Marvin Bobo" <marvinb@community.nospam> wrote in message
    >> news:FC83C34F-44F5-4108-A60A-DF55EFB0F7BF@microsoft.com...
    >> > When I execute the DSML request to change the password as Admin, works
    >> > ok.
    >> > When I execute as the domain user, fails with "HTTP Error 401.3 -
    >> > Unauthorized: Access is denied due to an ACL set on the requested
    >> > resource".
    >> > I have set the specific user to full control on the ou and container
    >> > for
    >> > the
    >> > user. The domain user logging on is changing its own account.
    >> >
    >> > Here is a post that is related to what I need to do but this is with
    >> > LDAPs
    >> > using Perl scripts:
    >> >
    >> > http://msdn.microsoft.com/newsgroups/managed/Default.aspx?dg=microsoft.public.active.directory.interfaces&mid=8461ad71-02a4-4759-8812-b0494e900898&sloc=en-us
    >>
    >>
    >>

  • Next message: Marvin Bobo: "Re: Setting Passwords via DSML with non-admin type Domain User Cre"