<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview [1] 
[{$pagename}] is needed only if the [Domain functional level] on the [Microsoft Active Directory] [Domain Controller] is less than [Windows Server 2003]


There are two methods on changing an [Microsoft Active Directory] [password] using [LDAP]. 

The default setting uses the [UnicodePwd] and the other makes it work like most other [LDAP Server Implementations] by using [UserPassword]. 

By default using [UserPassword] method (either through a simple ldif file or something like java) is disabled in Active Directory. 

!! Why [{$pagename}]
As with the [unicodePwd] attribute is as a [LDAP] [Modify Request] operation:
* [Password Change] - is a [Delete Modification-type] (oldPassword value)  followed by an [Add Modification-type] (newPassword value)
** If the [Add Modification-type] operation is omitted. [Microsoft Active Directory] sets the object's password to the empty string.
* [Password Reset] - [LDAP] [Modify Request] operation containing a single [Replace Modification-type] (newPassword value). 

The [Access Control] rights required are the same as for the [unicodePwd] attribute.

The same restrictions on [SSL]/[TLS]- or [SASL]-protected connections are enforced. 

However, the special [encoding] required for updating the [unicodePwd] attribute is __not__ used with the [userPassword] attribute; The [password] values for [UserPassword] are sent to the server as [UTF-8] [strings], but; surrounding __quotation marks are not used__. Which make things more consistent with other [LDAP Server Implementations]

!! [{$pagename}] Process 
In order to enable the [UserPassword] method you must change the [dsHeuristics|http://msdn.microsoft.com/en-us/library/cc223560.aspx|target='_blank'] [2] attribute using ADSI edit and set the [fuserPassword|http://msdn.microsoft.com/en-us/library/cc223249.aspx|target='_blank'] [3] method to true. 

! fUserPwdSupport
fUserPwdSupport value is used to determine the behavior of the [UserPassword] attribute within [Microsoft Active Directory] or [AD LDS].	
* If this character is neither &quot;0&quot; nor &quot;2&quot;, then the fUserPwdSupport heuristic is [TRUE]. (Below, we use &quot;1&quot;) 
* If this character is &quot;2&quot;, then the fUserPwdSupport heuristic is [FALSE]. 
* If this character is &quot;0&quot;, then the fUserPwdSupport heuristic is [FALSE] for [Microsoft Active Directory] and [TRUE] for [AD LDS].

! Open [ADSIedit] 
(start/run adsiedit.msc) 

[{Image src='Enable UserPassword in Microsoft Active Directory/ADSI-Open.png' align='left'}] 

! Right Click ADSI Edit 
Right Click ADSI Edit and choose Connect to (note that this is not necessary if adsi was used previously and the connection is already there) 
\\ 
[{Image src='Enable UserPassword in Microsoft Active Directory/adsi-connect.png' align='left'}] 

! Select Configuration 
Choose Select a well known Naming Context of Configuration and Select Default (Domain or server that you are logged into). And click ok

\\ 
[{Image src='Enable UserPassword in Microsoft Active Directory/adsi-configuration.png' align='left'}] 

! Expand Configuration 
Expand Configuration down to Configuration/CN=Configuration,DC=XXX,DC=xxx/CN=Services/CN=Windows NT/CN=Directory Service 
\\ 
[{Image src='Enable UserPassword in Microsoft Active Directory/adsi-expand-configuration.png' align='left'}] 

! Choose Properties 
Right Click Directory Service and choose Properties 
\\ 
[{Image src='Enable UserPassword in Microsoft Active Directory/adsi-properties.png' align='left'}] 

! Scroll to dsHeuristics 
Scroll to [dsHeuristics|http://msdn.microsoft.com/en-us/library/cc223560.aspx|target='_blank'] and double click it: You need to modify the 9th position and enter a 1. If there was no value in [dsHeuristics|http://msdn.microsoft.com/en-us/library/cc223560.aspx|target='_blank'] then enter 000000001 and click ok. 

%%warning 
It is critical that you do NOT replace other values if they already exist as there are 19 possible values within this attribute.[1] 
%% 
\\ 
[{Image src='Enable UserPassword in Microsoft Active Directory/adsi-dSHeuristics.png' align='left'}] 

! Click Ok 
Click Ok to get back to the main editor. 

! Update Schema Now 
Then on the top level Configuration [server.domain.org] item right click and choose update Schema Now. 

[{Image src='Enable UserPassword in Microsoft Active Directory/adsi-update-schema.png' align='left'}] 

! Finally 
At this point you can connect using SSL and use an LDIF to change the users password 

!! More Information 
There might be more information for this subject on one of the following: 
[{ReferringPagesPlugin before='*' after='\n' }] 

---- 
* [#1] - [Majority of content provided by Don DaRe|https://plus.google.com/112272286113899092242|target='_blank'] 
* [#2] - [6.1.1.2.4.1.2 dSHeuristics|https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5|target='_blank'] - based on information obtained 2019-11-05 
* [#3] - [fuserPassword|http://msdn.microsoft.com/en-us/library/cc223249.aspx|target='_blank'] - based on information retrieved 2013-05-29 
* [#2] - [3.1.1.3.1.5.2 userPassword|https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/f3adda9f-89e1-4340-a3f2-1f0a6249f1f8|target='_blank'] - based on information obtained 2019-11-05 











</pre>