info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
reset AD user password when account is expired
6 views
Skip to first unread message
Natxo Asenjo
Nov 21, 2014, 4:30:05 PM11/21/14
to perl...@perl.org
hi,
using code like in the FAQ it is really simple to change the password
of an AD user.
Unfortunately, once the account is already expired I get this error:
80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext
error, data 773, v1db1
And according to http://www-01.ibm.com/support/docview.wss?uid=swg21290631,
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext
error, data 773, v893
HEX: 0x773 - user must reset password
DEC: 1907 - ERROR_PASSWORD_MUST_CHANGE (The user's password must be
changed before logging on the first time.)
LDAP[pwdLastSet: <value of 0 indicates admin-required password
change>] - MUST_CHANGE_PASSWD
NOTE: Returns only when presented with valid username and password/credential
I am actually binding as the user self (this will be a self-service
site for our users to reset their passwords). Is it possible to change
one's password once the account has expired or do I have to bind as a
service account and reset the user password like that? I prefer not
having to hardcode credentials in the application, but if there is no
other way ..
Thanks!
--
Groeten,
natxo
using code like in the FAQ it is really simple to change the password
of an AD user.
Unfortunately, once the account is already expired I get this error:
80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext
error, data 773, v1db1
And according to http://www-01.ibm.com/support/docview.wss?uid=swg21290631,
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext
error, data 773, v893
HEX: 0x773 - user must reset password
DEC: 1907 - ERROR_PASSWORD_MUST_CHANGE (The user's password must be
changed before logging on the first time.)
LDAP[pwdLastSet: <value of 0 indicates admin-required password
change>] - MUST_CHANGE_PASSWD
NOTE: Returns only when presented with valid username and password/credential
I am actually binding as the user self (this will be a self-service
site for our users to reset their passwords). Is it possible to change
one's password once the account has expired or do I have to bind as a
service account and reset the user password like that? I prefer not
having to hardcode credentials in the application, but if there is no
other way ..
Thanks!
--
Groeten,
natxo
Bruce Johnson
Nov 21, 2014, 4:45:02 PM11/21/14
to Natxo Asenjo, perl...@perl.org
On Nov 21, 2014, at 2:19 PM, Natxo Asenjo <natxo....@gmail.com> wrote:
hi,
using code like in the FAQ it is really simple to change the password
of an AD user.
Unfortunately, once the account is already expired I get this error:
80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext
error, data 773, v1db1
There’s this thread at perlmonks that might help:
Shorter: You can’t do it with LDAP; you have to do it via Kerberos.
--
Bruce Johnson
University of Arizona
College of Pharmacy
Information Technology Group
Institutions do not have opinions, merely customs
Bruce Johnson
University of Arizona
College of Pharmacy
Information Technology Group
Institutions do not have opinions, merely customs
Justin Alcorn
Nov 23, 2014, 8:45:02 PM11/23/14
to Natxo Asenjo, perl...@perl.org
One a password has expired, the only way for a user to reset their own password is C-A-D from a domain workstation. And no vpn.
-- Sent from my Droid. Please excuse any tpyos and autocorrect errors.
0 new messages