reset AD user password when account is expired

6 views
Skip to first unread message

Natxo Asenjo

unread,
Nov 21, 2014, 4:30:05 PM11/21/14
to perl...@perl.org
hi,

using code like in the FAQ it is really simple to change the password
of an AD user.

Unfortunately, once the account is already expired I get this error:

80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext
error, data 773, v1db1

And according to http://www-01.ibm.com/support/docview.wss?uid=swg21290631,

80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext
error, data 773, v893
HEX: 0x773 - user must reset password
DEC: 1907 - ERROR_PASSWORD_MUST_CHANGE (The user's password must be
changed before logging on the first time.)
LDAP[pwdLastSet: <value of 0 indicates admin-required password
change>] - MUST_CHANGE_PASSWD
NOTE: Returns only when presented with valid username and password/credential

I am actually binding as the user self (this will be a self-service
site for our users to reset their passwords). Is it possible to change
one's password once the account has expired or do I have to bind as a
service account and reset the user password like that? I prefer not
having to hardcode credentials in the application, but if there is no
other way ..

Thanks!

--
Groeten,
natxo

Bruce Johnson

unread,
Nov 21, 2014, 4:45:02 PM11/21/14
to Natxo Asenjo, perl...@perl.org

On Nov 21, 2014, at 2:19 PM, Natxo Asenjo <natxo....@gmail.com> wrote:

hi,

using code like in the FAQ it is really simple to change the password
of an AD user.

Unfortunately, once the account is already expired I get this error:

80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext
error, data 773, v1db1

There’s this thread at perlmonks that might help:


Shorter: You can’t do it with LDAP; you have to do it via Kerberos.

-- 
Bruce Johnson
University of Arizona
College of Pharmacy
Information Technology Group

Institutions do not have opinions, merely customs

Justin Alcorn

unread,
Nov 23, 2014, 8:45:02 PM11/23/14
to Natxo Asenjo, perl...@perl.org

One a password has expired, the only way for a user to reset their own password is C-A-D from a domain workstation. And no vpn.

-- Sent from my Droid. Please excuse any tpyos and autocorrect errors.

Reply all
Reply to author
Forward
0 new messages