Overview #
There are two methods on changing an AD password using LDAP.
The default setting uses the UnicodePwd and the other makes it work like most other LDAP Server Implementations by using UserPassword.
By default using UserPassword method (either through a simple ldif file or something like java) is disabled in Active Directory.
Process #
In order to enable the
UserPassword method you must change the
dsHeuristics
attribute using ADSI edit and set the
fuserPassword method to true.
(start/run adsiedit.msc)
Right Click ADSI Edit #
Right Click ADSI Edit and choose Connect to (note that this is not necessary if adsi was used previously and the connection is already there)
Select Configuration #
Choose Select a well known Naming Context of Configuration and Select Default (Domain or server that you are logged into). And click ok
Expand Configuration #
Expand Configuration down to Configuration/CN=Configuration,DC=XXX,DC=xxx/CN=Services/CN=Windows NT/CN=Directory Service
Choose Properties #
Right Click Directory Service and choose Properties
Scroll to
dsHeuristics and double click it: You need to modify the 9th position and enter a 1. If there was no value in
dsHeuristics then enter 000000001 and click ok.
It is critical that you do NOT replace other values if they already exist as there are 19 possible values within this attribute.
Click Ok #
Click Ok to get back to the main editor.
Update Schema Now #
Then on the top level Configuration
server.domain.org item right click and choose update Schema Now.
Finally #
At this point you can connect using SSL and use an LDIF to change the users password
There might be more information for this subject on one of the following:
