02-25-2014 09:38 AM - edited 02-21-2020 07:31 PM
I believe I have everything configured correctly. But clearly I'm missing something. Users can authenticate and that all works. If I expire a password, it recognizes that it is expired. It recognizes that part of our password policy requires 7 characters. I enter a new password that fits the policy and I get the error message:
"Cannot complete password change because the password does not meet the password policy requirements"
Here is a debug of the session when I attempt to change the password.
[62865] Session Start
[62865] New request Session, context 0xabb4ddd8, reqType = Modify Password
[62865] Fiber started
[62865] Creating LDAP context with uri=ldaps://192.168.8.1:636
[62865] Connect to LDAP server: ldaps://192.168.8.1:636, status = Successful
[62865] supportedLDAPVersion: value = 3
[62865] supportedLDAPVersion: value = 2
[62865] Binding as LDAP User
[62865] Performing Simple authentication for LDAP User to 192.168.8.1
[62865] LDAP Search:
Base DN = [ou=People, dc=<redacted>, dc=com]
Filter = [sAMAccountName=<redacted>]
Scope = [SUBTREE]
[62865] User DN = [CN=<redacted>,OU=Woodstock,OU=People,DC=<redacted>,DC=com]
[62865] Talking to Active Directory server 192.168.8.1
[62865] Reading password policy for <redacted>, dn:CN=<redacted>,OU=Woodstock,OU=People,DC=<redacted>,DC=com
[62865] Read bad password count 0
[62865] Fiber exit Tx=737 bytes Rx=6827 bytes, status=-1
[62865] Session End
I redacted the user account and domain information.
02-25-2014 01:29 PM
Hi Mike,
Please make sure that the ldap-login (AD user) used to bind the connection to the DB belongs to the
Account Operators group in AD or that that such user has the enough rights to change the password.
HTH.
02-25-2014 01:37 PM
Yes, that is one of the first things I did.
A couple of common remedies that I've found with AD Password change problems are either not having Secure LDAP set up correctly, or the LDAP user not being in the correct group.
The LDAP user is in the Account Operators Active Directory security group.
02-25-2014 01:53 PM
Do you see any log on AD?
02-25-2014 02:08 PM
In Event Viewer on the domain controller, under security, I only see that the logon has failed.
Failure Information:
Failure Reason: The specified account's password has expired.
Status: 0xc0000224
Sub Status: 0x0
That is the only message in the event viewer that I've been able to find.
02-26-2014 06:38 AM
I was able to resolve the problem, but not satisfactorily. I changed the Ldap account privileges from "Account Operators" to "Domain Admins" and now the password change works.
It's nice that it works, but I don't like the idea of having a Domain Admin account embedded on an edge device.
I've read over and over that "Account Operators" is what the LDAP user should be set to. Is there another group that is also required?
02-26-2014 07:30 AM
I have seen that before, are you using a Service Account?
Make sure the Account Operators group has the permission to change the password.
Regards,
Please rate any helpful posts.
02-26-2014 09:41 AM
I have found the answer.
The "Account Operators" group can change user information, except it cannot change the Domain Administrators group or any of its members.
I was using my own account for testing and I am in the Domain Admins group. When I created a typical user account with which to test, the password changed worked with the LDAP account user being in the "Account Operators" group only.
02-26-2014 10:27 AM
So you were trying to change the password for an account that belongs to the Administrators group.
Glad to know you found your issue, 5 stars!
Please rate any helpful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide