Unable to change user's password (Active Directory)
See original GitHub issueHi guys,
First, thank you for porting the code over to .Net core!
I’m having some issues with changing the user’s password using the LDAP modify methods. I receive one of the following errors, depends which route I take:
- Binding as a domain admin and using LdapModification.REPLACE:
Unwilling To Perform (53) Unwilling To Perform LdapException: Server Message: 0000001F: SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0
- Binding as the user itself and using LdapModification.DELETE and LdapModification.ADD:
Constraint Violation (19) Constraint Violation LdapException: Server Message: 00002081: AtrErr: DSID-03190FA0, #1: 0: 00002081: DSID-03190FA0, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd)
Code exempts for both routes:
1): Binding as a domain admin:
string UserToChange = "CN=myUser,OU=InSome,OU=OU,DC=domain,DC=local"
LdapAttribute attribute = new LdapAttribute("unicodePwd", "\"myNewStrongPassword\"");
LdapModification modification = new LdapModification(LdapModification.REPLACE, attribute);
_connection.Modify(UserToChange, modification);
- Binding as the user:
string UserToChange = "CN=myUser,OU=InSome,OU=OU,DC=domain,DC=local"
LdapModification[]` modifications = new LdapModification[2];
LdapAttribute deletePassword = new LdapAttribute("unicodePwd", "\"myOldPassword\"");
modifications[0] = new LdapModification(LdapModification.DELETE, deletePassword);
LdapAttribute addPassword = new LdapAttribute("unicodePwd", "\"myNewStrongPassword\"");
modifications[1] = new LdapModification(LdapModification.ADD, addPassword);
_connection.Modify(UserToChange, modifications);
Things I have checked and tried:
- Convert the password to Unicode (UTF16-LE) byte array and then convert to a base64 string using the code below
string password = "\"myNewStrongPassword\"";
byte[] encodedBytes = Encoding.Unicode.GetBytes(password);
string encodedTxt = Convert.ToBase64String(encodedBytes);
- Connect with SSL (this is the only way to perform actions on the
unicodePwd
field - Read various implementations on the web, most of them are Java and PHP which I found
- The password
myNewStrongPassword
is valid against the AD password policies
If anyone has any idea or could point me in the right direction, that would be great! 😃
Issue Analytics
- State:
- Created 6 years ago
- Comments:11
Top Results From Across the Web
Domain user can not change password for AD by him self
Domain user can not change password for AD by him self. Hello,. I have a domain controller with windows server 2019 and also...
Read more >[SOLVED] Users cannot change Active Directory password
Users cannot change Active Directory password ... Ctrl Alt Delete to change password, they always get the Windows message stating unable to ...
Read more >Password Reset using Active Directory Users & Computers ...
Provides a solution to an error that occurs when you reset the password of a user.
Read more >Can AD users that are set to "User Cannot Change ...
1 Answer 1 ... Complexity is only checked at time of password change. Often, this is also the only time when the domain...
Read more >Can't reset user account password in AD due to Policy's ...
Yesterday, I change a user account password in AD (Srv2003). The password was 4 letters, no caps, no numbers. It was set to...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
I managed to fix this by doing the following:
Instead of:
Convert it to sbyte (and drop the string and base64 encoding):
Did below and it worked!
First, install SSL cert in AD then reboot AD server https://www.manageengine.com/products/active-directory-audit/kb/how-to/how-to-install-ssl-certificates-in-active-directory.html
Second, verify LDAPS connection
After a certificate is installed, follow these steps to verify that LDAPS is enabled: Start the Active Directory Administration Tool (Ldp.exe). On the Connection menu, click Connect. Type the name of the domain controller to which you want to connect. Type 636 as the port number. Click OK. RootDSE information should print in the right pane, indicating a successful connection.
Third, install the NuGet package System.DirectoryServices.Protocols and use code below
using System.DirectoryServices.Protocols; public async Task<IActionResult> OnPostSubmit() {
}