Enable UserPassword in Microsoft Active Directory

Overview [1] #

There are two methods on changing an AD password using LDAP.

The default setting uses the UnicodePwd and the other makes it work like most other LDAP Server Implementations by using UserPassword.

By default using UserPassword method (either through a simple ldif file or something like java) is disabled in Active Directory.

Process #

In order to enable the UserPassword method you must change the dsHeuristics [2] attribute using ADSI edit and set the fuserPassword [3] method to true.

Open ADSIedit #

(start/run adsiedit.msc)

Right Click ADSI Edit #

Right Click ADSI Edit and choose Connect to (note that this is not necessary if adsi was used previously and the connection is already there)

Select Configuration #

Choose Select a well known Naming Context of Configuration and Select Default (Domain or server that you are logged into). And click ok

Expand Configuration #

Expand Configuration down to Configuration/CN=Configuration,DC=XXX,DC=xxx/CN=Services/CN=Windows NT/CN=Directory Service

Choose Properties #

Right Click Directory Service and choose Properties

Scroll to dsHeuristics #

Scroll to dsHeuristics and double click it: You need to modify the 9th position and enter a 1. If there was no value in dsHeuristics then enter 000000001 and click ok.
It is critical that you do NOT replace other values if they already exist as there are 19 possible values within this attribute.[1]

Click Ok #

Click Ok to get back to the main editor.

Update Schema Now #

Then on the top level Configuration server.domain.org item right click and choose update Schema Now.

Finally #

At this point you can connect using SSL and use an LDIF to change the users password

More Information #

There might be more information for this subject on one of the following: