Overview [1] #
Enable UserPassword in Microsoft Active Directory is needed only if the Domain functional level on the Microsoft Active Directory Domain Controller is less than Windows Server 2003There are two methods on changing an Microsoft Active Directory password using LDAP.
The default setting uses the UnicodePwd and the other makes it work like most other LDAP Server Implementations by using UserPassword.
By default using UserPassword method (either through a simple ldif file or something like java) is disabled in Active Directory.
Why Enable UserPassword in Microsoft Active Directory#
As with the unicodePwd attribute is as a LDAP Modify Request operation:- Password Change - is a Delete Modification-type (oldPassword value) followed by an Add Modification-type (newPassword value)
- If the Add Modification-type operation is omitted. Microsoft Active Directory sets the object's password to the empty string.
- Password Reset - LDAP Modify Request operation containing a single Replace Modification-type (newPassword value).
The Access Control rights required are the same as for the unicodePwd attribute.
The same restrictions on SSL/TLS- or SASL-protected connections are enforced.
However, the special encoding required for updating the unicodePwd attribute is not used with the userPassword attribute; The password values for UserPassword are sent to the server as UTF-8 strings, but; surrounding quotation marks are not used. Which make things more consistent with other LDAP Server Implementations
Enable UserPassword in Microsoft Active Directory Process #
In order to enable the UserPassword method you must change the dsHeuristics

fUserPwdSupport#
fUserPwdSupport value is used to determine the behavior of the UserPassword attribute within Microsoft Active Directory or AD LDS.- If this character is neither "0" nor "2", then the fUserPwdSupport heuristic is TRUE. (Below, we use "1")
- If this character is "2", then the fUserPwdSupport heuristic is FALSE.
- If this character is "0", then the fUserPwdSupport heuristic is FALSE for Microsoft Active Directory and TRUE for AD LDS.
Open ADSIedit #
(start/run adsiedit.msc)![]() |
Right Click ADSI Edit #
Right Click ADSI Edit and choose Connect to (note that this is not necessary if adsi was used previously and the connection is already there)![]() |
Select Configuration #
Choose Select a well known Naming Context of Configuration and Select Default (Domain or server that you are logged into). And click ok
![]() |
Expand Configuration #
Expand Configuration down to Configuration/CN=Configuration,DC=XXX,DC=xxx/CN=Services/CN=Windows NT/CN=Directory Service![]() |
Choose Properties #
Right Click Directory Service and choose Properties![]() |
Scroll to dsHeuristics #
Scroll to dsHeuristics

![]() |
Click Ok #
Click Ok to get back to the main editor.Update Schema Now #
Then on the top level Configuration server.domain.org item right click and choose update Schema Now.![]() |
Finally #
At this point you can connect using SSL and use an LDIF to change the users passwordMore Information #
There might be more information for this subject on one of the following:- Active Directory and Passwords
- Example - Active Directory Change Password JNDI
- Passwords Using LDIF
- Set Active Directory Password From Java
- Setting and Changing Microsoft Active Directory Passwords
- UnicodePwd
- [#1] - Majority of content provided by Don DaRe
- [#2] - 6.1.1.2.4.1.2 dSHeuristics
- based on information obtained 2019-11-05
- [#3] - fuserPassword
- based on information retrieved 2013-05-29
- [#2] - 3.1.1.3.1.5.2 userPassword
- based on information obtained 2019-11-05