Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

how would an LDAP client handle a bind failure because the user password needs to be reset?

8 views
Skip to first unread message

ravi

unread,
Oct 30, 2009, 7:19:12 PM10/30/09
to
Here's the scenario:

I log into active directory and as an admin and check the 'user must
change password at next logon' for user x.

Then, I try to bind to active directory as user x and the bind fails
with the response:

80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext
error, data 773, v893
HEX: 0x773 - user must reset password
DEC: 1907 - ERROR_PASSWORD_MUST_CHANGE (The user's password must be
changed before logging on the first time.)
LDAP[pwdLastSet: <value of 0 indicates admin-required password
change>] - MUST_CHANGE_PASSWD
NOTE: Returns only when presented with valid username and password/
credential.

Now, what am I supposed to do from the LDAP client next to actually be
able to change the password? Since the bind failed, I can't really
change any password attribute on the active directory server!

Joe Kaplan

unread,
Oct 30, 2009, 10:21:22 PM10/30/09
to
As far as I know, you cannot correct this issue via LDAP. AD will not allow
you to perform operations without having issued a bind but you can't bind
when you are in this state, so it is catch 22. As far I know, only the
interactive Windows login APIs allow you to change password at next logon.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"ravi" <thejed...@gmail.com> wrote in message
news:38ebf021-5fd8-4cac...@r24g2000prf.googlegroups.com...

ravi

unread,
Nov 2, 2009, 6:37:04 PM11/2/09
to
Joe,
That was a very helpful answer! As a last resort, I was planning on
maybe sniffing what happens during the interactive windows logon
process to see what packets are sent to the LDAP server.

Thanks a lot for your input.
Ravi.

On Oct 30, 6:21 pm, "Joe Kaplan"


<joseph.e.kap...@removethis.accenture.com> wrote:
> As far as I know, you cannot correct this issue via LDAP. AD will not allow
> you to perform operations without having issued a bind but you can't bind
> when you are in this state, so it is catch 22.  As far I know, only the
> interactive Windows login APIs allow you to change password at next logon.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming

> Co-author of "The .NET Developer's Guide to Directory Services Programming"http://www.directoryprogramming.net"ravi" <thejedikni...@gmail.com> wrote in message

Joe Kaplan

unread,
Nov 2, 2009, 11:49:17 PM11/2/09
to
LDAP is not used at all during interactive login. There is definitely
network traffic to the DC (usually primarily Kerberos and other RPC stuff)
but no LDAP unless that's executed by a login script or GPO after the actual
login.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net

"ravi" <thejed...@gmail.com> wrote in message

news:2ebdae13-bdef-40e5...@x6g2000prc.googlegroups.com...

ravi

unread,
Nov 3, 2009, 12:41:10 PM11/3/09
to
Thanks Joe, it all makes sense to me now! :-)

On Nov 2, 8:49 pm, "Joe Kaplan"


<joseph.e.kap...@removethis.accenture.com> wrote:
> LDAP is not used at all during interactive login. There is definitely
> network traffic to the DC (usually primarily Kerberos and other RPC stuff)
> but no LDAP unless that's executed by a login script or GPO after the actual
> login.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming

0 new messages