LDAP changePassword always returns error



Tom
07-09-2005, 10:53 PM
I'm working on a script to change a user's password in an AD domain.

Our problem is a script that uses the changePassword method to change a
user's password. No matter how strong the new password is, we always return
an error that says the new password is either not unique or doesn't meet the
policy for strong passwords. This script doesn't work when run as either the
user making the change or the domain administrator.

I think this error is bogus; we have another script that overwrites the
user's password with a strong random one (which runs in the context of the
domain admin), and that works fine.

Joe Richards [MVP]
07-09-2005, 10:53 PM
Post the script

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Tom wrote:
> I'm working on a script to change a user's password in an AD domain.
>
> Our problem is a script that uses the changePassword method to change a
> user's password. No matter how strong the new password is, we always return
> an error that says the new password is either not unique or doesn't meet the
> policy for strong passwords. This script doesn't work when run as either the
> user making the change or the domain administrator.
>
> I think this error is bogus; we have another script that overwrites the
> user's password with a strong random one (which runs in the context of the
> domain admin), and that works fine.

Tom
07-09-2005, 10:53 PM
Joe,

The code follows. I've disabled error handling to show the error.

I based it off this script at Technet:
http://www.microsoft.com/technet/scriptcenter/scripts/ad/users/pwds/uspwvb02.mspx

I get the same error when I run the script as the user through a web page,
the user logged into the machine, or a domain administrator logged into the
machine. However, forcing the password to be overwritten works fine when
logged in as a domain admin.

function changePassword(p_DistinguishedName, p_NewPassword, p_OldPassword)

'on error resume next
if p_DistinguishedName= "" then
wScript.Quit
end if
set objUser = getObject("LDAP://" & p_distinguishedName)
if isObject(objUser) then
'When run in the contect of a domain administrator, this
forces
'the new password to overwrite the old. It works fine.
'objUser.setPassword p_NewPassword

'This is the line of code in question. It's based off a
script in Technet's
'script center.
objUser.ChangePassword p_OldPassword, p_NewPassword
else
strMsg = Server.URLEncode("Sorry, there was a problem processing your
password change. <a href='changepassword.asp'>Please try again</a>.<p>If
this problem persists, please contact your administrator.")
response.redirect("confirm.asp?m=" & strMsg & "&e=1")
end if
strMsg = Server.urlEncode("Password for user <b>" &
request.Form("username") & "</b> has been changed!")
response.redirect("confirm.asp?m=" & strMsg)

end function

"Joe Richards [MVP]" wrote:

> Post the script
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
> Tom wrote:
> > I'm working on a script to change a user's password in an AD domain.
> >
> > Our problem is a script that uses the changePassword method to change a
> > user's password. No matter how strong the new password is, we always return
> > an error that says the new password is either not unique or doesn't meet the
> > policy for strong passwords. This script doesn't work when run as either the
> > user making the change or the domain administrator.
> >
> > I think this error is bogus; we have another script that overwrites the
> > user's password with a strong random one (which runs in the context of the
> > domain admin), and that works fine.
>

R
07-09-2005, 10:53 PM
Not sure if this is relevant or not. I remember from a few years ago that to
write to the AD password field through LDAP, we needed to have an SSL (port
636) connection to AD.

"Tom" <Tom@discussions.microsoft.com> wrote in message
news:61E9C949-B56F-44BA-A60C-7FBC9073DC53@microsoft.com...
> Joe,
>
> The code follows. I've disabled error handling to show the error.
>
> I based it off this script at Technet:
>
http://www.microsoft.com/technet/scriptcenter/scripts/ad/users/pwds/uspwvb02.mspx
>
> I get the same error when I run the script as the user through a web page,
> the user logged into the machine, or a domain administrator logged into
the
> machine. However, forcing the password to be overwritten works fine when
> logged in as a domain admin.
>
> function changePassword(p_DistinguishedName, p_NewPassword, p_OldPassword)
>
> 'on error resume next
> if p_DistinguishedName= "" then
> wScript.Quit
> end if
> set objUser = getObject("LDAP://" & p_distinguishedName)
> if isObject(objUser) then
> 'When run in the contect of a domain administrator, this
> forces
> 'the new password to overwrite the old. It works fine.
> 'objUser.setPassword p_NewPassword
>
> 'This is the line of code in question. It's based off a
> script in Technet's
> 'script center.
> objUser.ChangePassword p_OldPassword, p_NewPassword
> else
> strMsg = Server.URLEncode("Sorry, there was a problem processing your
> password change. <a href='changepassword.asp'>Please try again</a>.<p>If
> this problem persists, please contact your administrator.")
> response.redirect("confirm.asp?m=" & strMsg & "&e=1")
> end if
> strMsg = Server.urlEncode("Password for user <b>" &
> request.Form("username") & "</b> has been changed!")
> response.redirect("confirm.asp?m=" & strMsg)
>
> end function
>
> "Joe Richards [MVP]" wrote:
>
> > Post the script
> >
> > --
> > Joe Richards Microsoft MVP Windows Server Directory Services
> > www.joeware.net
> >
> >
> > Tom wrote:
> > > I'm working on a script to change a user's password in an AD domain.
> > >
> > > Our problem is a script that uses the changePassword method to change
a
> > > user's password. No matter how strong the new password is, we always
return
> > > an error that says the new password is either not unique or doesn't
meet the
> > > policy for strong passwords. This script doesn't work when run as
either the
> > > user making the change or the domain administrator.
> > >
> > > I think this error is bogus; we have another script that overwrites
the
> > > user's password with a strong random one (which runs in the context of
the
> > > domain admin), and that works fine.
> >

Tom
07-09-2005, 10:53 PM
Thanks R.

The weird thing is that as an administrator, we *are* able to connect to the
AD through LDAP. We can prove it by overwriting the password using the
setPassword method (which works fine, see the code sample below).

It fails when we use the ChangePassword method, regardless of the user
context we're using.

"R" wrote:

> Not sure if this is relevant or not. I remember from a few years ago that to
> write to the AD password field through LDAP, we needed to have an SSL (port
> 636) connection to AD.
>
> "Tom" <Tom@discussions.microsoft.com> wrote in message
> news:61E9C949-B56F-44BA-A60C-7FBC9073DC53@microsoft.com...
> > Joe,
> >
> > The code follows. I've disabled error handling to show the error.
> >
> > I based it off this script at Technet:
> >
> http://www.microsoft.com/technet/scriptcenter/scripts/ad/users/pwds/uspwvb02.mspx
> >
> > I get the same error when I run the script as the user through a web page,
> > the user logged into the machine, or a domain administrator logged into
> the
> > machine. However, forcing the password to be overwritten works fine when
> > logged in as a domain admin.
> >
> > function changePassword(p_DistinguishedName, p_NewPassword, p_OldPassword)
> >
> > 'on error resume next
> > if p_DistinguishedName= "" then
> > wScript.Quit
> > end if
> > set objUser = getObject("LDAP://" & p_distinguishedName)
> > if isObject(objUser) then
> > 'When run in the contect of a domain administrator, this
> > forces
> > 'the new password to overwrite the old. It works fine.
> > 'objUser.setPassword p_NewPassword
> >
> > 'This is the line of code in question. It's based off a
> > script in Technet's
> > 'script center.
> > objUser.ChangePassword p_OldPassword, p_NewPassword
> > else
> > strMsg = Server.URLEncode("Sorry, there was a problem processing your
> > password change. <a href='changepassword.asp'>Please try again</a>.<p>If
> > this problem persists, please contact your administrator.")
> > response.redirect("confirm.asp?m=" & strMsg & "&e=1")
> > end if
> > strMsg = Server.urlEncode("Password for user <b>" &
> > request.Form("username") & "</b> has been changed!")
> > response.redirect("confirm.asp?m=" & strMsg)
> >
> > end function
> >
> > "Joe Richards [MVP]" wrote:
> >
> > > Post the script
> > >
> > > --
> > > Joe Richards Microsoft MVP Windows Server Directory Services
> > > www.joeware.net
> > >
> > >
> > > Tom wrote:
> > > > I'm working on a script to change a user's password in an AD domain.
> > > >
> > > > Our problem is a script that uses the changePassword method to change
> a
> > > > user's password. No matter how strong the new password is, we always
> return
> > > > an error that says the new password is either not unique or doesn't
> meet the
> > > > policy for strong passwords. This script doesn't work when run as
> either the
> > > > user making the change or the domain administrator.
> > > >
> > > > I think this error is bogus; we have another script that overwrites
> the
> > > > user's password with a strong random one (which runs in the context of
> the
> > > > domain admin), and that works fine.
> > >
>
>
>

Joe Richards [MVP]
07-09-2005, 10:53 PM
I filtered this down to this basic example

p_DistinguishedName=wscript.arguments.item(0)
p_OldPassword=wscript.arguments.item(1)
p_NewPassword=wscript.arguments.item(2)


if p_DistinguishedName= "" then
wScript.Quit
end if

set objUser = getObject("LDAP://" & p_distinguishedName)
if isObject(objUser) then
objUser.ChangePassword p_OldPassword, p_NewPassword
wscript.echo "Password change successful"
else
wscript.echo "Didn't get a handle to the user object"
end if


This runs successfully for me

[Fri 06/10/2005 20:45:31.12]
G:\TEMP>pwd.vbs cn=someuser,cn=users,dc=joe,dc=com password somenewpassword
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

Password change successful

[Fri 06/10/2005 20:45:51.69]
G:\TEMP>pwd.vbs cn=someuser,cn=users,dc=joe,dc=com password somenewpassword2
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

G:\TEMP\pwd.vbs(12, 3) (null): The specified network password is not correct.


[Fri 06/10/2005 20:45:56.69]
G:\TEMP>pwd.vbs cn=someuser,cn=users,dc=joe,dc=com somenewpassword somenewpassword2
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

Password change successful

[Fri 06/10/2005 20:46:09.47]
G:\TEMP>




What again are the exact errors you are seeing when running through vbscript,
not through a web page. Web pages add all sorts of screwed up issues that aren't
script related, but instead IIS and the IIS Script engine related.

joe




--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Tom wrote:
> Joe,
>
> The code follows. I've disabled error handling to show the error.
>
> I based it off this script at Technet:
> http://www.microsoft.com/technet/scriptcenter/scripts/ad/users/pwds/uspwvb02.mspx
>
> I get the same error when I run the script as the user through a web page,
> the user logged into the machine, or a domain administrator logged into the
> machine. However, forcing the password to be overwritten works fine when
> logged in as a domain admin.
>
> function changePassword(p_DistinguishedName, p_NewPassword, p_OldPassword)
>
> 'on error resume next
> if p_DistinguishedName= "" then
> wScript.Quit
> end if
> set objUser = getObject("LDAP://" & p_distinguishedName)
> if isObject(objUser) then
> 'When run in the contect of a domain administrator, this
> forces
> 'the new password to overwrite the old. It works fine.
> 'objUser.setPassword p_NewPassword
>
> 'This is the line of code in question. It's based off a
> script in Technet's
> 'script center.
> objUser.ChangePassword p_OldPassword, p_NewPassword
> else
> strMsg = Server.URLEncode("Sorry, there was a problem processing your
> password change. <a href='changepassword.asp'>Please try again</a>.<p>If
> this problem persists, please contact your administrator.")
> response.redirect("confirm.asp?m=" & strMsg & "&e=1")
> end if
> strMsg = Server.urlEncode("Password for user <b>" &
> request.Form("username") & "</b> has been changed!")
> response.redirect("confirm.asp?m=" & strMsg)
>
> end function
>
> "Joe Richards [MVP]" wrote:
>
>
>>Post the script
>>
>>--
>>Joe Richards Microsoft MVP Windows Server Directory Services
>>www.joeware.net
>>
>>
>>Tom wrote:
>>
>>>I'm working on a script to change a user's password in an AD domain.
>>>
>>>Our problem is a script that uses the changePassword method to change a
>>>user's password. No matter how strong the new password is, we always return
>>>an error that says the new password is either not unique or doesn't meet the
>>>policy for strong passwords. This script doesn't work when run as either the
>>>user making the change or the domain administrator.
>>>
>>>I think this error is bogus; we have another script that overwrites the
>>>user's password with a strong random one (which runs in the context of the
>>>domain admin), and that works fine.
>>

Tom
07-09-2005, 10:53 PM
This is really weird - I run the script as an administrator, and return an
empty error description with the error number -2147024810.

When I look that up in the Microsoft Knowledge Base, it looks like it's a
SiteServer error, which isn't even installed on that server.

"Joe Richards [MVP]" wrote:

> I filtered this down to this basic example
>
> p_DistinguishedName=wscript.arguments.item(0)
> p_OldPassword=wscript.arguments.item(1)
> p_NewPassword=wscript.arguments.item(2)
>
>
> if p_DistinguishedName= "" then
> wScript.Quit
> end if
>
> set objUser = getObject("LDAP://" & p_distinguishedName)
> if isObject(objUser) then
> objUser.ChangePassword p_OldPassword, p_NewPassword
> wscript.echo "Password change successful"
> else
> wscript.echo "Didn't get a handle to the user object"
> end if
>
>
> This runs successfully for me
>
> [Fri 06/10/2005 20:45:31.12]
> G:\TEMP>pwd.vbs cn=someuser,cn=users,dc=joe,dc=com password somenewpassword
> Microsoft (R) Windows Script Host Version 5.6
> Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
>
> Password change successful
>
> [Fri 06/10/2005 20:45:51.69]
> G:\TEMP>pwd.vbs cn=someuser,cn=users,dc=joe,dc=com password somenewpassword2
> Microsoft (R) Windows Script Host Version 5.6
> Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
>
> G:\TEMP\pwd.vbs(12, 3) (null): The specified network password is not correct.
>
>
> [Fri 06/10/2005 20:45:56.69]
> G:\TEMP>pwd.vbs cn=someuser,cn=users,dc=joe,dc=com somenewpassword somenewpassword2
> Microsoft (R) Windows Script Host Version 5.6
> Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
>
> Password change successful
>
> [Fri 06/10/2005 20:46:09.47]
> G:\TEMP>
>
>
>
>
> What again are the exact errors you are seeing when running through vbscript,
> not through a web page. Web pages add all sorts of screwed up issues that aren't
> script related, but instead IIS and the IIS Script engine related.
>
> joe
>
>
>
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
> Tom wrote:
> > Joe,
> >
> > The code follows. I've disabled error handling to show the error.
> >
> > I based it off this script at Technet:
> > http://www.microsoft.com/technet/scriptcenter/scripts/ad/users/pwds/uspwvb02.mspx
> >
> > I get the same error when I run the script as the user through a web page,
> > the user logged into the machine, or a domain administrator logged into the
> > machine. However, forcing the password to be overwritten works fine when
> > logged in as a domain admin.
> >
> > function changePassword(p_DistinguishedName, p_NewPassword, p_OldPassword)
> >
> > 'on error resume next
> > if p_DistinguishedName= "" then
> > wScript.Quit
> > end if
> > set objUser = getObject("LDAP://" & p_distinguishedName)
> > if isObject(objUser) then
> > 'When run in the contect of a domain administrator, this
> > forces
> > 'the new password to overwrite the old. It works fine.
> > 'objUser.setPassword p_NewPassword
> >
> > 'This is the line of code in question. It's based off a
> > script in Technet's
> > 'script center.
> > objUser.ChangePassword p_OldPassword, p_NewPassword
> > else
> > strMsg = Server.URLEncode("Sorry, there was a problem processing your
> > password change. <a href='changepassword.asp'>Please try again</a>.<p>If
> > this problem persists, please contact your administrator.")
> > response.redirect("confirm.asp?m=" & strMsg & "&e=1")
> > end if
> > strMsg = Server.urlEncode("Password for user <b>" &
> > request.Form("username") & "</b> has been changed!")
> > response.redirect("confirm.asp?m=" & strMsg)
> >
> > end function
> >
> > "Joe Richards [MVP]" wrote:
> >
> >
> >>Post the script
> >>
> >>--
> >>Joe Richards Microsoft MVP Windows Server Directory Services
> >>www.joeware.net
> >>
> >>
> >>Tom wrote:
> >>
> >>>I'm working on a script to change a user's password in an AD domain.
> >>>
> >>>Our problem is a script that uses the changePassword method to change a
> >>>user's password. No matter how strong the new password is, we always return
> >>>an error that says the new password is either not unique or doesn't meet the
> >>>policy for strong passwords. This script doesn't work when run as either the
> >>>user making the change or the domain administrator.
> >>>
> >>>I think this error is bogus; we have another script that overwrites the
> >>>user's password with a strong random one (which runs in the context of the
> >>>domain admin), and that works fine.
> >>
>

Joe Richards [MVP]
07-09-2005, 10:54 PM
That breaks down to be error 86.

Paste it into calculator, tell calc to convert to hex, specify Word for size,
then convert back to decimal.

Error 86 is

C:\WINDOWS>net helpmsg 86

The specified network password is not correct.


This would tell me that the old password you are trying to use is not correct.
Running as administrator has no bearing on it because you are using the old
password and the new. Running as an admin (or someone with SetPassword CA rights
on the user object) only impacts the SETPASSWORD method.

joe


--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Tom wrote:
> This is really weird - I run the script as an administrator, and return an
> empty error description with the error number -2147024810.
>
> When I look that up in the Microsoft Knowledge Base, it looks like it's a
> SiteServer error, which isn't even installed on that server.
>
> "Joe Richards [MVP]" wrote:
>
>
>>I filtered this down to this basic example
>>
>>p_DistinguishedName=wscript.arguments.item(0)
>>p_OldPassword=wscript.arguments.item(1)
>>p_NewPassword=wscript.arguments.item(2)
>>
>>
>>if p_DistinguishedName= "" then
>> wScript.Quit
>>end if
>>
>>set objUser = getObject("LDAP://" & p_distinguishedName)
>>if isObject(objUser) then
>> objUser.ChangePassword p_OldPassword, p_NewPassword
>> wscript.echo "Password change successful"
>>else
>> wscript.echo "Didn't get a handle to the user object"
>>end if
>>
>>
>>This runs successfully for me
>>
>>[Fri 06/10/2005 20:45:31.12]
>>G:\TEMP>pwd.vbs cn=someuser,cn=users,dc=joe,dc=com password somenewpassword
>>Microsoft (R) Windows Script Host Version 5.6
>>Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
>>
>>Password change successful
>>
>>[Fri 06/10/2005 20:45:51.69]
>>G:\TEMP>pwd.vbs cn=someuser,cn=users,dc=joe,dc=com password somenewpassword2
>>Microsoft (R) Windows Script Host Version 5.6
>>Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
>>
>>G:\TEMP\pwd.vbs(12, 3) (null): The specified network password is not correct.
>>
>>
>>[Fri 06/10/2005 20:45:56.69]
>>G:\TEMP>pwd.vbs cn=someuser,cn=users,dc=joe,dc=com somenewpassword somenewpassword2
>>Microsoft (R) Windows Script Host Version 5.6
>>Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
>>
>>Password change successful
>>
>>[Fri 06/10/2005 20:46:09.47]
>>G:\TEMP>
>>
>>
>>
>>
>>What again are the exact errors you are seeing when running through vbscript,
>>not through a web page. Web pages add all sorts of screwed up issues that aren't
>>script related, but instead IIS and the IIS Script engine related.
>>
>> joe
>>
>>
>>
>>
>>--
>>Joe Richards Microsoft MVP Windows Server Directory Services
>>www.joeware.net
>>
>>
>>Tom wrote:
>>
>>>Joe,
>>>
>>>The code follows. I've disabled error handling to show the error.
>>>
>>>I based it off this script at Technet:
>>>http://www.microsoft.com/technet/scriptcenter/scripts/ad/users/pwds/uspwvb02.mspx
>>>
>>>I get the same error when I run the script as the user through a web page,
>>>the user logged into the machine, or a domain administrator logged into the
>>>machine. However, forcing the password to be overwritten works fine when
>>>logged in as a domain admin.
>>>
>>>function changePassword(p_DistinguishedName, p_NewPassword, p_OldPassword)
>>>
>>>'on error resume next
>>>if p_DistinguishedName= "" then
>>> wScript.Quit
>>>end if
>>> set objUser = getObject("LDAP://" & p_distinguishedName)
>>> if isObject(objUser) then
>>> 'When run in the contect of a domain administrator, this
>>>forces
>>> 'the new password to overwrite the old. It works fine.
>>> 'objUser.setPassword p_NewPassword
>>>
>>> 'This is the line of code in question. It's based off a
>>>script in Technet's
>>> 'script center.
>>> objUser.ChangePassword p_OldPassword, p_NewPassword
>>> else
>>> strMsg = Server.URLEncode("Sorry, there was a problem processing your
>>>password change. <a href='changepassword.asp'>Please try again</a>.<p>If
>>>this problem persists, please contact your administrator.")
>>> response.redirect("confirm.asp?m=" & strMsg & "&e=1")
>>> end if
>>> strMsg = Server.urlEncode("Password for user <b>" &
>>>request.Form("username") & "</b> has been changed!")
>>> response.redirect("confirm.asp?m=" & strMsg)
>>>
>>>end function
>>>
>>>"Joe Richards [MVP]" wrote:
>>>
>>>
>>>
>>>>Post the script
>>>>
>>>>--
>>>>Joe Richards Microsoft MVP Windows Server Directory Services
>>>>www.joeware.net
>>>>
>>>>
>>>>Tom wrote:
>>>>
>>>>
>>>>>I'm working on a script to change a user's password in an AD domain.
>>>>>
>>>>>Our problem is a script that uses the changePassword method to change a
>>>>>user's password. No matter how strong the new password is, we always return
>>>>>an error that says the new password is either not unique or doesn't meet the
>>>>>policy for strong passwords. This script doesn't work when run as either the
>>>>>user making the change or the domain administrator.
>>>>>
>>>>>I think this error is bogus; we have another script that overwrites the
>>>>>user's password with a strong random one (which runs in the context of the
>>>>>domain admin), and that works fine.
>>>>

Tom
07-09-2005, 10:54 PM
OK, now I've updated the password and return error 2245.

"The password does not meet the password requirements. Check the minimum
password length, password complexity and password histroy requirements."

I think this error is bogus - no matter how strong my password, it always
returns this error.

"Joe Richards [MVP]" wrote:

> That breaks down to be error 86.
>
> Paste it into calculator, tell calc to convert to hex, specify Word for size,
> then convert back to decimal.
>
> Error 86 is
>
> C:\WINDOWS>net helpmsg 86
>
> The specified network password is not correct.
>
>
> This would tell me that the old password you are trying to use is not correct.
> Running as administrator has no bearing on it because you are using the old
> password and the new. Running as an admin (or someone with SetPassword CA rights
> on the user object) only impacts the SETPASSWORD method.
>
> joe
>
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
> Tom wrote:
> > This is really weird - I run the script as an administrator, and return an
> > empty error description with the error number -2147024810.
> >
> > When I look that up in the Microsoft Knowledge Base, it looks like it's a
> > SiteServer error, which isn't even installed on that server.
> >
> > "Joe Richards [MVP]" wrote:
> >
> >
> >>I filtered this down to this basic example
> >>
> >>p_DistinguishedName=wscript.arguments.item(0)
> >>p_OldPassword=wscript.arguments.item(1)
> >>p_NewPassword=wscript.arguments.item(2)
> >>
> >>
> >>if p_DistinguishedName= "" then
> >> wScript.Quit
> >>end if
> >>
> >>set objUser = getObject("LDAP://" & p_distinguishedName)
> >>if isObject(objUser) then
> >> objUser.ChangePassword p_OldPassword, p_NewPassword
> >> wscript.echo "Password change successful"
> >>else
> >> wscript.echo "Didn't get a handle to the user object"
> >>end if
> >>
> >>
> >>This runs successfully for me
> >>
> >>[Fri 06/10/2005 20:45:31.12]
> >>G:\TEMP>pwd.vbs cn=someuser,cn=users,dc=joe,dc=com password somenewpassword
> >>Microsoft (R) Windows Script Host Version 5.6
> >>Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
> >>
> >>Password change successful
> >>
> >>[Fri 06/10/2005 20:45:51.69]
> >>G:\TEMP>pwd.vbs cn=someuser,cn=users,dc=joe,dc=com password somenewpassword2
> >>Microsoft (R) Windows Script Host Version 5.6
> >>Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
> >>
> >>G:\TEMP\pwd.vbs(12, 3) (null): The specified network password is not correct.
> >>
> >>
> >>[Fri 06/10/2005 20:45:56.69]
> >>G:\TEMP>pwd.vbs cn=someuser,cn=users,dc=joe,dc=com somenewpassword somenewpassword2
> >>Microsoft (R) Windows Script Host Version 5.6
> >>Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
> >>
> >>Password change successful
> >>
> >>[Fri 06/10/2005 20:46:09.47]
> >>G:\TEMP>
> >>
> >>
> >>
> >>
> >>What again are the exact errors you are seeing when running through vbscript,
> >>not through a web page. Web pages add all sorts of screwed up issues that aren't
> >>script related, but instead IIS and the IIS Script engine related.
> >>
> >> joe
> >>
> >>
> >>
> >>
> >>--
> >>Joe Richards Microsoft MVP Windows Server Directory Services
> >>www.joeware.net
> >>
> >>
> >>Tom wrote:
> >>
> >>>Joe,
> >>>
> >>>The code follows. I've disabled error handling to show the error.
> >>>
> >>>I based it off this script at Technet:
> >>>http://www.microsoft.com/technet/scriptcenter/scripts/ad/users/pwds/uspwvb02.mspx
> >>>
> >>>I get the same error when I run the script as the user through a web page,
> >>>the user logged into the machine, or a domain administrator logged into the
> >>>machine. However, forcing the password to be overwritten works fine when
> >>>logged in as a domain admin.
> >>>
> >>>function changePassword(p_DistinguishedName, p_NewPassword, p_OldPassword)
> >>>
> >>>'on error resume next
> >>>if p_DistinguishedName= "" then
> >>> wScript.Quit
> >>>end if
> >>> set objUser = getObject("LDAP://" & p_distinguishedName)
> >>> if isObject(objUser) then
> >>> 'When run in the contect of a domain administrator, this
> >>>forces
> >>> 'the new password to overwrite the old. It works fine.
> >>> 'objUser.setPassword p_NewPassword
> >>>
> >>> 'This is the line of code in question. It's based off a
> >>>script in Technet's
> >>> 'script center.
> >>> objUser.ChangePassword p_OldPassword, p_NewPassword
> >>> else
> >>> strMsg = Server.URLEncode("Sorry, there was a problem processing your
> >>>password change. <a href='changepassword.asp'>Please try again</a>.<p>If
> >>>this problem persists, please contact your administrator.")
> >>> response.redirect("confirm.asp?m=" & strMsg & "&e=1")
> >>> end if
> >>> strMsg = Server.urlEncode("Password for user <b>" &
> >>>request.Form("username") & "</b> has been changed!")
> >>> response.redirect("confirm.asp?m=" & strMsg)
> >>>
> >>>end function
> >>>
> >>>"Joe Richards [MVP]" wrote:
> >>>
> >>>
> >>>
> >>>>Post the script
> >>>>
> >>>>--
> >>>>Joe Richards Microsoft MVP Windows Server Directory Services
> >>>>www.joeware.net
> >>>>
> >>>>
> >>>>Tom wrote:
> >>>>
> >>>>
> >>>>>I'm working on a script to change a user's password in an AD domain.
> >>>>>
> >>>>>Our problem is a script that uses the changePassword method to change a
> >>>>>user's password. No matter how strong the new password is, we always return
> >>>>>an error that says the new password is either not unique or doesn't meet the
> >>>>>policy for strong passwords. This script doesn't work when run as either the
> >>>>>user making the change or the domain administrator.
> >>>>>
> >>>>>I think this error is bogus; we have another script that overwrites the
> >>>>>user's password with a strong random one (which runs in the context of the
> >>>>>domain admin), and that works fine.
> >>>>
>

Joe Richards [MVP]
07-09-2005, 10:54 PM
Disable password complexity and password history and see if you get the error.

If you don't, then enable one and try it, then the other and try it, this will
narrow down the piece that is biting you.

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Tom wrote:
> OK, now I've updated the password and return error 2245.
>
> "The password does not meet the password requirements. Check the minimum
> password length, password complexity and password histroy requirements."
>
> I think this error is bogus - no matter how strong my password, it always
> returns this error.
>
> "Joe Richards [MVP]" wrote:
>
>
>>That breaks down to be error 86.
>>
>>Paste it into calculator, tell calc to convert to hex, specify Word for size,
>>then convert back to decimal.
>>
>>Error 86 is
>>
>>C:\WINDOWS>net helpmsg 86
>>
>>The specified network password is not correct.
>>
>>
>>This would tell me that the old password you are trying to use is not correct.
>>Running as administrator has no bearing on it because you are using the old
>>password and the new. Running as an admin (or someone with SetPassword CA rights
>>on the user object) only impacts the SETPASSWORD method.
>>
>> joe
>>
>>
>>--
>>Joe Richards Microsoft MVP Windows Server Directory Services
>>www.joeware.net
>>
>>
>>Tom wrote:
>>
>>>This is really weird - I run the script as an administrator, and return an
>>>empty error description with the error number -2147024810.
>>>
>>>When I look that up in the Microsoft Knowledge Base, it looks like it's a
>>>SiteServer error, which isn't even installed on that server.
>>>
>>>"Joe Richards [MVP]" wrote:
>>>
>>>
>>>
>>>>I filtered this down to this basic example
>>>>
>>>>p_DistinguishedName=wscript.arguments.item(0)
>>>>p_OldPassword=wscript.arguments.item(1)
>>>>p_NewPassword=wscript.arguments.item(2)
>>>>
>>>>
>>>>if p_DistinguishedName= "" then
>>>> wScript.Quit
>>>>end if
>>>>
>>>>set objUser = getObject("LDAP://" & p_distinguishedName)
>>>>if isObject(objUser) then
>>>> objUser.ChangePassword p_OldPassword, p_NewPassword
>>>> wscript.echo "Password change successful"
>>>>else
>>>> wscript.echo "Didn't get a handle to the user object"
>>>>end if
>>>>
>>>>
>>>>This runs successfully for me
>>>>
>>>>[Fri 06/10/2005 20:45:31.12]
>>>>G:\TEMP>pwd.vbs cn=someuser,cn=users,dc=joe,dc=com password somenewpassword
>>>>Microsoft (R) Windows Script Host Version 5.6
>>>>Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
>>>>
>>>>Password change successful
>>>>
>>>>[Fri 06/10/2005 20:45:51.69]
>>>>G:\TEMP>pwd.vbs cn=someuser,cn=users,dc=joe,dc=com password somenewpassword2
>>>>Microsoft (R) Windows Script Host Version 5.6
>>>>Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
>>>>
>>>>G:\TEMP\pwd.vbs(12, 3) (null): The specified network password is not correct.
>>>>
>>>>
>>>>[Fri 06/10/2005 20:45:56.69]
>>>>G:\TEMP>pwd.vbs cn=someuser,cn=users,dc=joe,dc=com somenewpassword somenewpassword2
>>>>Microsoft (R) Windows Script Host Version 5.6
>>>>Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
>>>>
>>>>Password change successful
>>>>
>>>>[Fri 06/10/2005 20:46:09.47]
>>>>G:\TEMP>
>>>>
>>>>
>>>>
>>>>
>>>>What again are the exact errors you are seeing when running through vbscript,
>>>>not through a web page. Web pages add all sorts of screwed up issues that aren't
>>>>script related, but instead IIS and the IIS Script engine related.
>>>>
>>>> joe
>>>>
>>>>
>>>>
>>>>
>>>>--
>>>>Joe Richards Microsoft MVP Windows Server Directory Services
>>>>www.joeware.net
>>>>
>>>>
>>>>Tom wrote:
>>>>
>>>>
>>>>>Joe,
>>>>>
>>>>>The code follows. I've disabled error handling to show the error.
>>>>>
>>>>>I based it off this script at Technet:
>>>>>http://www.microsoft.com/technet/scriptcenter/scripts/ad/users/pwds/uspwvb02.mspx
>>>>>
>>>>>I get the same error when I run the script as the user through a web page,
>>>>>the user logged into the machine, or a domain administrator logged into the
>>>>>machine. However, forcing the password to be overwritten works fine when
>>>>>logged in as a domain admin.
>>>>>
>>>>>function changePassword(p_DistinguishedName, p_NewPassword, p_OldPassword)
>>>>>
>>>>>'on error resume next
>>>>>if p_DistinguishedName= "" then
>>>>> wScript.Quit
>>>>>end if
>>>>> set objUser = getObject("LDAP://" & p_distinguishedName)
>>>>> if isObject(objUser) then
>>>>> 'When run in the contect of a domain administrator, this
>>>>>forces
>>>>> 'the new password to overwrite the old. It works fine.
>>>>> 'objUser.setPassword p_NewPassword
>>>>>
>>>>> 'This is the line of code in question. It's based off a
>>>>>script in Technet's
>>>>> 'script center.
>>>>> objUser.ChangePassword p_OldPassword, p_NewPassword
>>>>> else
>>>>> strMsg = Server.URLEncode("Sorry, there was a problem processing your
>>>>>password change. <a href='changepassword.asp'>Please try again</a>.<p>If
>>>>>this problem persists, please contact your administrator.")
>>>>> response.redirect("confirm.asp?m=" & strMsg & "&e=1")
>>>>> end if
>>>>> strMsg = Server.urlEncode("Password for user <b>" &
>>>>>request.Form("username") & "</b> has been changed!")
>>>>> response.redirect("confirm.asp?m=" & strMsg)
>>>>>
>>>>>end function
>>>>>
>>>>>"Joe Richards [MVP]" wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>Post the script
>>>>>>
>>>>>>--
>>>>>>Joe Richards Microsoft MVP Windows Server Directory Services
>>>>>>www.joeware.net
>>>>>>
>>>>>>
>>>>>>Tom wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>>I'm working on a script to change a user's password in an AD domain.
>>>>>>>
>>>>>>>Our problem is a script that uses the changePassword method to change a
>>>>>>>user's password. No matter how strong the new password is, we always return
>>>>>>>an error that says the new password is either not unique or doesn't meet the
>>>>>>>policy for strong passwords. This script doesn't work when run as either the
>>>>>>>user making the change or the domain administrator.
>>>>>>>
>>>>>>>I think this error is bogus; we have another script that overwrites the
>>>>>>>user's password with a strong random one (which runs in the context of the
>>>>>>>domain admin), and that works fine.
>>>>>>


LDAP changePassword always returns error