Share via

Active Directory Password Change Via API

Ashan Jayasundara 41 Reputation points
2022-07-29T11:42:58.853+00:00

Hi Team,

I am trying to develop API for manipulate Active directory password change via api call, I connecting to LDAP server via SSL connection but i am unable to change the password due to following issue

{"lde_message":"0000001F: SvcErr: DSID-031A125F, problem 5003 (WILL_NOT_PERFORM), data 0\n\u0000","lde_dn":null}

Windows for business Windows Client for IT Pros Directory services Active Directory
0 comments
Accepted answer
  1. Scott Dawson 156 Reputation points
    2022-07-29T18:32:11.19+00:00

    There's endless possibilities without seeing all your code and knowing your environment.

    High level things to check:

    1. Make sure you are making the call over LDAPS if your Domain Controllers are configured this way. Sounds like you already are.
    2. Make sure you can change the password manually. There are likely password policies preventing certain passwords length/reuse/complexity.
    3. Try to bind with an account with higher privileges than the account you are trying to change the password on.
    4. Connect directly to the PDC emulator.

    I would also try the same operation using ldp.exe as it may work and narrow down the issue. Or it may fail with a better LDAP code.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Gary Reynolds 9,621 Reputation points
    2022-07-30T00:20:38.167+00:00

    Hi @Ashan Jayasundara

    Have a look at this article which contains the details of the requirements to set a users password using LDAP - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/6e803168-f140-4d23-b2d3-c3a8ab5917d2

    From the quick testing I've completed, while article states there are different error codes for each failed validation, it seems they are all result in an WILL_NOT_PERFORM error, with the exception of the following:

    • Password Complexity - Error: CONSTRAINT_ATT_TYPE - Extended Error Text: Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain
    • User doesn't have Reset Password permission - Error: INSUFF_ACCESS_RIGHTS, Extended Error Text: The user has insufficient access rights, Access is denied.

    Requirements to set the password for LDAPS:

    • Password value must be unicode encoded
    • The password must be surrounded by quotations "<password>"
    • The modifier must be replace to force password reset

    Requirements to set the password for LDAP:

    • Password value must be unicode encoded
    • The password must be surrounded by quotations "<password>"
    • The modifier must be replace to force password reset
    • Session Option LDAP_OPT_ENCRYPT must be set

    Gary.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.