Re: LDAP changePassword always returns error

From: Tom (Tom_at_discussions.microsoft.com)
Date: 06/15/05 

Date: Wed, 15 Jun 2005 12:27:03 -0700

OK, now I've updated the password and return error 2245.

"The password does not meet the password requirements. Check the minimum
password length, password complexity and password histroy requirements."

I think this error is bogus - no matter how strong my password, it always
returns this error.

"Joe Richards [MVP]" wrote:

> That breaks down to be error 86.
>
> Paste it into calculator, tell calc to convert to hex, specify Word for size,
> then convert back to decimal.
>
> Error 86 is
>
> C:\WINDOWS>net helpmsg 86
>
> The specified network password is not correct.
>
>
> This would tell me that the old password you are trying to use is not correct.
> Running as administrator has no bearing on it because you are using the old
> password and the new. Running as an admin (or someone with SetPassword CA rights
> on the user object) only impacts the SETPASSWORD method.
>
> joe
>
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
> Tom wrote:
> > This is really weird - I run the script as an administrator, and return an
> > empty error description with the error number -2147024810.
> >
> > When I look that up in the Microsoft Knowledge Base, it looks like it's a
> > SiteServer error, which isn't even installed on that server.
> >
> > "Joe Richards [MVP]" wrote:
> >
> >
> >>I filtered this down to this basic example
> >>
> >>p_DistinguishedName=wscript.arguments.item(0)
> >>p_OldPassword=wscript.arguments.item(1)
> >>p_NewPassword=wscript.arguments.item(2)
> >>
> >>
> >>if p_DistinguishedName= "" then
> >> wScript.Quit
> >>end if
> >>
> >>set objUser = getObject("LDAP://" & p_distinguishedName)
> >>if isObject(objUser) then
> >> objUser.ChangePassword p_OldPassword, p_NewPassword
> >> wscript.echo "Password change successful"
> >>else
> >> wscript.echo "Didn't get a handle to the user object"
> >>end if
> >>
> >>
> >>This runs successfully for me
> >>
> >>[Fri 06/10/2005 20:45:31.12]
> >>G:\TEMP>pwd.vbs cn=someuser,cn=users,dc=joe,dc=com password somenewpassword
> >>Microsoft (R) Windows Script Host Version 5.6
> >>Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
> >>
> >>Password change successful
> >>
> >>[Fri 06/10/2005 20:45:51.69]
> >>G:\TEMP>pwd.vbs cn=someuser,cn=users,dc=joe,dc=com password somenewpassword2
> >>Microsoft (R) Windows Script Host Version 5.6
> >>Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
> >>
> >>G:\TEMP\pwd.vbs(12, 3) (null): The specified network password is not correct.
> >>
> >>
> >>[Fri 06/10/2005 20:45:56.69]
> >>G:\TEMP>pwd.vbs cn=someuser,cn=users,dc=joe,dc=com somenewpassword somenewpassword2
> >>Microsoft (R) Windows Script Host Version 5.6
> >>Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
> >>
> >>Password change successful
> >>
> >>[Fri 06/10/2005 20:46:09.47]
> >>G:\TEMP>
> >>
> >>
> >>
> >>
> >>What again are the exact errors you are seeing when running through vbscript,
> >>not through a web page. Web pages add all sorts of screwed up issues that aren't
> >>script related, but instead IIS and the IIS Script engine related.
> >>
> >> joe
> >>
> >>
> >>
> >>
> >>--
> >>Joe Richards Microsoft MVP Windows Server Directory Services
> >>www.joeware.net
> >>
> >>
> >>Tom wrote:
> >>
> >>>Joe,
> >>>
> >>>The code follows. I've disabled error handling to show the error.
> >>>
> >>>I based it off this script at Technet:
> >>>http://www.microsoft.com/technet/scriptcenter/scripts/ad/users/pwds/uspwvb02.mspx
> >>>
> >>>I get the same error when I run the script as the user through a web page,
> >>>the user logged into the machine, or a domain administrator logged into the
> >>>machine. However, forcing the password to be overwritten works fine when
> >>>logged in as a domain admin.
> >>>
> >>>function changePassword(p_DistinguishedName, p_NewPassword, p_OldPassword)
> >>>
> >>>'on error resume next
> >>>if p_DistinguishedName= "" then
> >>> wScript.Quit
> >>>end if
> >>> set objUser = getObject("LDAP://" & p_distinguishedName)
> >>> if isObject(objUser) then
> >>> 'When run in the contect of a domain administrator, this
> >>>forces
> >>> 'the new password to overwrite the old. It works fine.
> >>> 'objUser.setPassword p_NewPassword
> >>>
> >>> 'This is the line of code in question. It's based off a
> >>>script in Technet's
> >>> 'script center.
> >>> objUser.ChangePassword p_OldPassword, p_NewPassword
> >>> else
> >>> strMsg = Server.URLEncode("Sorry, there was a problem processing your
> >>>password change. <a href='changepassword.asp'>Please try again</a>.<p>If
> >>>this problem persists, please contact your administrator.")
> >>> response.redirect("confirm.asp?m=" & strMsg & "&e=1")
> >>> end if
> >>> strMsg = Server.urlEncode("Password for user <b>" &
> >>>request.Form("username") & "</b> has been changed!")
> >>> response.redirect("confirm.asp?m=" & strMsg)
> >>>
> >>>end function
> >>>
> >>>"Joe Richards [MVP]" wrote:
> >>>
> >>>
> >>>
> >>>>Post the script
> >>>>
> >>>>--
> >>>>Joe Richards Microsoft MVP Windows Server Directory Services
> >>>>www.joeware.net
> >>>>
> >>>>
> >>>>Tom wrote:
> >>>>
> >>>>
> >>>>>I'm working on a script to change a user's password in an AD domain.
> >>>>>
> >>>>>Our problem is a script that uses the changePassword method to change a
> >>>>>user's password. No matter how strong the new password is, we always return
> >>>>>an error that says the new password is either not unique or doesn't meet the
> >>>>>policy for strong passwords. This script doesn't work when run as either the
> >>>>>user making the change or the domain administrator.
> >>>>>
> >>>>>I think this error is bogus; we have another script that overwrites the
> >>>>>user's password with a strong random one (which runs in the context of the
> >>>>>domain admin), and that works fine.
> >>>>
>

Loading