Enable UserPassword in Microsoft Active Directory

Overview [1] #

Enable UserPassword in Microsoft Active Directory is needed only if the Domain functional level on the Microsoft Active Directory Domain Controller is less than Windows Server 2003

There are two methods on changing an Microsoft Active Directory password using LDAP.

The default setting uses the UnicodePwd and the other makes it work like most other LDAP Server Implementations by using UserPassword.

By default using UserPassword method (either through a simple ldif file or something like java) is disabled in Active Directory.

Why Enable UserPassword in Microsoft Active Directory#

As with the unicodePwd attribute is as a LDAP Modify Request operation:

The Access Control rights required are the same as for the unicodePwd attribute.

The same restrictions on SSL/TLS- or SASL-protected connections are enforced.

However, the special encoding required for updating the unicodePwd attribute is not used with the userPassword attribute; The password values for UserPassword are sent to the server as UTF-8 strings, but; surrounding quotation marks are not used. Which make things more consistent with other LDAP Server Implementations

Enable UserPassword in Microsoft Active Directory Process #

In order to enable the UserPassword method you must change the dsHeuristics [2] attribute using ADSI edit and set the fuserPassword [3] method to true.


fUserPwdSupport value is used to determine the behavior of the UserPassword attribute within Microsoft Active Directory or AD LDS.
  • If this character is neither "0" nor "2", then the fUserPwdSupport heuristic is TRUE. (Below, we use "1")
  • If this character is "2", then the fUserPwdSupport heuristic is FALSE.
  • If this character is "0", then the fUserPwdSupport heuristic is FALSE for Microsoft Active Directory and TRUE for AD LDS.

Open ADSIedit #

(start/run adsiedit.msc)

Right Click ADSI Edit #

Right Click ADSI Edit and choose Connect to (note that this is not necessary if adsi was used previously and the connection is already there)

Select Configuration #

Choose Select a well known Naming Context of Configuration and Select Default (Domain or server that you are logged into). And click ok

Expand Configuration #

Expand Configuration down to Configuration/CN=Configuration,DC=XXX,DC=xxx/CN=Services/CN=Windows NT/CN=Directory Service

Choose Properties #

Right Click Directory Service and choose Properties

Scroll to dsHeuristics #

Scroll to dsHeuristics and double click it: You need to modify the 9th position and enter a 1. If there was no value in dsHeuristics then enter 000000001 and click ok.
It is critical that you do NOT replace other values if they already exist as there are 19 possible values within this attribute.[1]

Click Ok #

Click Ok to get back to the main editor.

Update Schema Now #

Then on the top level Configuration server.domain.org item right click and choose update Schema Now.

Finally #

At this point you can connect using SSL and use an LDIF to change the users password

More Information #

There might be more information for this subject on one of the following: