Changing a user password who has 'Change Password at next Logon' flagged

Changing a user password who has 'Change Password at next Logon' flagged

Post by Pau » Wed, 05 Feb 2003 19:37:44



Hi,

I'm trying to change the password of a user using VB and ADSI with the
LDAP provider. The VB is built as a COM component and running as a
server application and has an identity set to a user account with
administrative rights.
The method call is from an ASP page where a user types in the relevant
information to change their password.

My code in brief is as below :

    strUserPath = "LDAP://" & strDomain & "/CN=" & UserName & "," &
strContainer
    Set objUser = GetObject(strUserPath)

    objUser.ChangePassword OldPassword, NewPassword

which results in the following error :

    Error Number : -2147023545 (0x80070547)

    Description : Automation error

    Configuration information could not be read from the domain
controller,     either because the machine is unavailable, or access
has been denied.

The security error that occurs on the DC is as follows :

Event Type:     Failure Audit
Event Source:   Security
Event Category: Account Logon
Event ID:       681
Date:           04/02/2003
Time:           10:12:47
User:           NT AUTHORITY\SYSTEM
Computer:       CRISDVLPDC
Description:
The logon to account: 100099
 by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 from workstation: GBCRISS193
 failed. The error code was: 3221226020

The error code translates to User Logon with 'Change Password at Next
Logon' Flagged.

This works no problem with the WinNT provider but I have to use the
LDAP provider.

Any thoughts or suggestions are most welcome

Paul Jackson

 
 
 

Changing a user password who has 'Change Password at next Logon' flagged

Post by Richard Muelle » Thu, 06 Feb 2003 01:35:17


Hi,

I believe your problem is with the binding string used
with the LDAP provider. Examples for strUserPath would be
similar to:

"LDAP://cn=UserName,ou=Sales,dc=MyDomain,dc=com"
"LDAP://cn=Joe Smith,cn=users,dc=MyDomain,dc=com"

I would guess that UserName in your code is the NT user
name, also called the pre-Windows 2000 logon name (the
sAMAccountName). LDAP requires the cn (common name)
instead. Also, strDomain is the NetBIOS domain name, which
may or may not match what I called "MyDomain" above. You
need to determine the Distinguished Name of the user to
bind with LDAP, which is the cn (common name) of the user,
and the full path of the user object in Active Directory.

If the client is W2k or XP, you should be able to use the
ADSystemInfo object:

Set oSysInfo = CreateObject("ADSystemInfo")
sUserAdsPath = oSysInfo.UserName
Set oUser = GetObject("LDAP://" & sUserAdsPath)

If the clients are NT or Win9x, you can use the
NameTranslate object to convert your UserName and
strDomain:

Set oTrans = CreateObject("NameTranslate")
oTrans.Init 1, strDomain
oTrans.Set 2, strDomain & "\" & UserName
sAdsPath = oTrans.Get(1)
Set oUser = GetObject("LDAP://" & sAdsPath)

Richard

Quote:>-----Original Message-----
>Hi,

>I'm trying to change the password of a user using VB and
ADSI with the
>LDAP provider. The VB is built as a COM component and
running as a
>server application and has an identity set to a user
account with
>administrative rights.
>The method call is from an ASP page where a user types in
the relevant
>information to change their password.

>My code in brief is as below :

>    strUserPath = "LDAP://" & strDomain & "/CN=" &
UserName & "," &
>strContainer
>    Set objUser = GetObject(strUserPath)

>    objUser.ChangePassword OldPassword, NewPassword

>which results in the following error :

>    Error Number : -2147023545 (0x80070547)

>    Description : Automation error

>    Configuration information could not be read from the
domain
>controller,     either because the machine is

unavailable, or access

- Show quoted text -

>has been denied.

>The security error that occurs on the DC is as follows :

>Event Type: Failure Audit
>Event Source:       Security
>Event Category:     Account Logon
>Event ID:   681
>Date:               04/02/2003
>Time:               10:12:47
>User:               NT AUTHORITY\SYSTEM
>Computer:   CRISDVLPDC
>Description:
>The logon to account: 100099
> by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> from workstation: GBCRISS193
> failed. The error code was: 3221226020

>The error code translates to User Logon with 'Change
Password at Next
>Logon' Flagged.

>This works no problem with the WinNT provider but I have
to use the
>LDAP provider.

>Any thoughts or suggestions are most welcome

>Paul Jackson

>.


 
 
 

Changing a user password who has 'Change Password at next Logon' flagged

Post by Pau » Thu, 06 Feb 2003 23:50:32


Thanks for your comments Richard,

I haven't had a problem with my binding string with any of my other
adsi code but I took on your suggestions and reconfigured my binding
string as suggested.

In my system my cn is always the same as the SamAccountName so I don't
think the problem is there.
I use serverless binding to derive the domain and use a constant for
the ou name.

My LDAP string is now as below:

 "LDAP://cn=UserName,ou=MyOU,dc=MyDomain,dc=com"

but I still get the same error.


> Hi,

> I believe your problem is with the binding string used
> with the LDAP provider. Examples for strUserPath would be
> similar to:

> "LDAP://cn=UserName,ou=Sales,dc=MyDomain,dc=com"
> "LDAP://cn=Joe Smith,cn=users,dc=MyDomain,dc=com"

> I would guess that UserName in your code is the NT user
> name, also called the pre-Windows 2000 logon name (the
> sAMAccountName). LDAP requires the cn (common name)
> instead. Also, strDomain is the NetBIOS domain name, which
> may or may not match what I called "MyDomain" above. You
> need to determine the Distinguished Name of the user to
> bind with LDAP, which is the cn (common name) of the user,
> and the full path of the user object in Active Directory.

> If the client is W2k or XP, you should be able to use the
> ADSystemInfo object:

> Set oSysInfo = CreateObject("ADSystemInfo")
> sUserAdsPath = oSysInfo.UserName
> Set oUser = GetObject("LDAP://" & sUserAdsPath)

> If the clients are NT or Win9x, you can use the
> NameTranslate object to convert your UserName and
> strDomain:

> Set oTrans = CreateObject("NameTranslate")
> oTrans.Init 1, strDomain
> oTrans.Set 2, strDomain & "\" & UserName
> sAdsPath = oTrans.Get(1)
> Set oUser = GetObject("LDAP://" & sAdsPath)

> Richard
> >-----Original Message-----
> >Hi,

> >I'm trying to change the password of a user using VB and
>  ADSI with the
> >LDAP provider. The VB is built as a COM component and
>  running as a
> >server application and has an identity set to a user
>  account with
> >administrative rights.
> >The method call is from an ASP page where a user types in
>  the relevant
> >information to change their password.

> >My code in brief is as below :

> >    strUserPath = "LDAP://" & strDomain & "/CN=" &
>  UserName & "," &
> >strContainer
> >    Set objUser = GetObject(strUserPath)

> >    objUser.ChangePassword OldPassword, NewPassword

> >which results in the following error :

> >    Error Number : -2147023545 (0x80070547)

> >    Description : Automation error

> >    Configuration information could not be read from the
>  domain
> >controller,     either because the machine is
>  unavailable, or access
> >has been denied.

> >The security error that occurs on the DC is as follows :

> >Event Type:    Failure Audit
> >Event Source:  Security
> >Event Category:        Account Logon
> >Event ID:      681
> >Date:          04/02/2003
> >Time:          10:12:47
> >User:          NT AUTHORITY\SYSTEM
> >Computer:      CRISDVLPDC
> >Description:
> >The logon to account: 100099
> > by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> > from workstation: GBCRISS193
> > failed. The error code was: 3221226020

> >The error code translates to User Logon with 'Change
>  Password at Next
> >Logon' Flagged.

> >This works no problem with the WinNT provider but I have
>  to use the
> >LDAP provider.

> >Any thoughts or suggestions are most welcome

> >Paul Jackson

> >.

 
 
 

Changing a user password who has 'Change Password at next Logon' flagged

Post by Richard Muelle » Fri, 07 Feb 2003 04:03:06


Hi,

A few thoughts. If the error is raised on the GetObject
statement, then the binding string is wrong. No admin
privileges are needed to bind to the user object. However,
you seem to have ruled this out.

I assume the user is already authenticated. If not, you
will have to use alternate credentials with OpenDSObject.

If the error is raised on objUser.ChangePassword, then
perhaps there is not a SSL connection. Changing passwords
is the only time a SSL connection is required.

Richard

Quote:>-----Original Message-----
>Thanks for your comments Richard,

>I haven't had a problem with my binding string with any
of my other
>adsi code but I took on your suggestions and reconfigured
my binding
>string as suggested.

>In my system my cn is always the same as the

SamAccountName so I don't
>think the problem is there.
>I use serverless binding to derive the domain and use a
constant for
>the ou name.

>My LDAP string is now as below:

> "LDAP://cn=UserName,ou=MyOU,dc=MyDomain,dc=com"

>but I still get the same error.





>> Hi,

>> I believe your problem is with the binding string used
>> with the LDAP provider. Examples for strUserPath would
be
>> similar to:

>> "LDAP://cn=UserName,ou=Sales,dc=MyDomain,dc=com"
>> "LDAP://cn=Joe Smith,cn=users,dc=MyDomain,dc=com"

>> I would guess that UserName in your code is the NT user
>> name, also called the pre-Windows 2000 logon name (the
>> sAMAccountName). LDAP requires the cn (common name)
>> instead. Also, strDomain is the NetBIOS domain name,
which
>> may or may not match what I called "MyDomain" above.
You
>> need to determine the Distinguished Name of the user to
>> bind with LDAP, which is the cn (common name) of the
user,
>> and the full path of the user object in Active
Directory.

>> If the client is W2k or XP, you should be able to use
the
>> ADSystemInfo object:

>> Set oSysInfo = CreateObject("ADSystemInfo")
>> sUserAdsPath = oSysInfo.UserName
>> Set oUser = GetObject("LDAP://" & sUserAdsPath)

>> If the clients are NT or Win9x, you can use the
>> NameTranslate object to convert your UserName and
>> strDomain:

>> Set oTrans = CreateObject("NameTranslate")
>> oTrans.Init 1, strDomain
>> oTrans.Set 2, strDomain & "\" & UserName
>> sAdsPath = oTrans.Get(1)
>> Set oUser = GetObject("LDAP://" & sAdsPath)

>> Richard
>> >-----Original Message-----
>> >Hi,

>> >I'm trying to change the password of a user using VB
and
>>  ADSI with the
>> >LDAP provider. The VB is built as a COM component and
>>  running as a
>> >server application and has an identity set to a user
>>  account with
>> >administrative rights.
>> >The method call is from an ASP page where a user types
in
>>  the relevant
>> >information to change their password.

>> >My code in brief is as below :

>> >    strUserPath = "LDAP://" & strDomain & "/CN=" &
>>  UserName & "," &
>> >strContainer
>> >    Set objUser = GetObject(strUserPath)

>> >    objUser.ChangePassword OldPassword, NewPassword

>> >which results in the following error :

>> >    Error Number : -2147023545 (0x80070547)

>> >    Description : Automation error

>> >    Configuration information could not be read from
the
>>  domain
>> >controller,     either because the machine is
>>  unavailable, or access
>> >has been denied.

>> >The security error that occurs on the DC is as
follows :

>> >Event Type:        Failure Audit
>> >Event Source:      Security
>> >Event Category:    Account Logon
>> >Event ID:  681
>> >Date:              04/02/2003
>> >Time:              10:12:47
>> >User:              NT AUTHORITY\SYSTEM
>> >Computer:  CRISDVLPDC
>> >Description:
>> >The logon to account: 100099
>> > by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>> > from workstation: GBCRISS193
>> > failed. The error code was: 3221226020

>> >The error code translates to User Logon with 'Change
>>  Password at Next
>> >Logon' Flagged.

>> >This works no problem with the WinNT provider but I
have
>>  to use the
>> >LDAP provider.

>> >Any thoughts or suggestions are most welcome

>> >Paul Jackson

>> >.

>.

 
 
 

Changing a user password who has 'Change Password at next Logon' flagged

Post by Pau » Fri, 07 Feb 2003 20:50:53


I think you've cracked it,

The error is being raised on the objUser.ChangePassword, the rig i'm
testing on doesn't have SSL but the target rig does.

I will test on a rig with SSL.

Thanks for all your help


> Hi,

> A few thoughts. If the error is raised on the GetObject
> statement, then the binding string is wrong. No admin
> privileges are needed to bind to the user object. However,
> you seem to have ruled this out.

> I assume the user is already authenticated. If not, you
> will have to use alternate credentials with OpenDSObject.

> If the error is raised on objUser.ChangePassword, then
> perhaps there is not a SSL connection. Changing passwords
> is the only time a SSL connection is required.

> Richard
> >-----Original Message-----
> >Thanks for your comments Richard,

> >I haven't had a problem with my binding string with any
>  of my other
> >adsi code but I took on your suggestions and reconfigured
>  my binding
> >string as suggested.

> >In my system my cn is always the same as the
>  SamAccountName so I don't
> >think the problem is there.
> >I use serverless binding to derive the domain and use a
>  constant for
> >the ou name.

> >My LDAP string is now as below:

> > "LDAP://cn=UserName,ou=MyOU,dc=MyDomain,dc=com"

> >but I still get the same error.




> >> Hi,

> >> I believe your problem is with the binding string used
> >> with the LDAP provider. Examples for strUserPath would
>  be
> >> similar to:

> >> "LDAP://cn=UserName,ou=Sales,dc=MyDomain,dc=com"
> >> "LDAP://cn=Joe Smith,cn=users,dc=MyDomain,dc=com"

> >> I would guess that UserName in your code is the NT user
> >> name, also called the pre-Windows 2000 logon name (the
> >> sAMAccountName). LDAP requires the cn (common name)
> >> instead. Also, strDomain is the NetBIOS domain name,
>  which
> >> may or may not match what I called "MyDomain" above.
>  You
> >> need to determine the Distinguished Name of the user to
> >> bind with LDAP, which is the cn (common name) of the
>  user,
> >> and the full path of the user object in Active
>  Directory.

> >> If the client is W2k or XP, you should be able to use
>  the
> >> ADSystemInfo object:

> >> Set oSysInfo = CreateObject("ADSystemInfo")
> >> sUserAdsPath = oSysInfo.UserName
> >> Set oUser = GetObject("LDAP://" & sUserAdsPath)

> >> If the clients are NT or Win9x, you can use the
> >> NameTranslate object to convert your UserName and
> >> strDomain:

> >> Set oTrans = CreateObject("NameTranslate")
> >> oTrans.Init 1, strDomain
> >> oTrans.Set 2, strDomain & "\" & UserName
> >> sAdsPath = oTrans.Get(1)
> >> Set oUser = GetObject("LDAP://" & sAdsPath)

> >> Richard
> >> >-----Original Message-----
> >> >Hi,

> >> >I'm trying to change the password of a user using VB
>  and
>  ADSI with the
> >> >LDAP provider. The VB is built as a COM component and
>  running as a
> >> >server application and has an identity set to a user
>  account with
> >> >administrative rights.
> >> >The method call is from an ASP page where a user types
>  in
>  the relevant
> >> >information to change their password.

> >> >My code in brief is as below :

> >> >    strUserPath = "LDAP://" & strDomain & "/CN=" &
>  UserName & "," &
> >> >strContainer
> >> >    Set objUser = GetObject(strUserPath)

> >> >    objUser.ChangePassword OldPassword, NewPassword

> >> >which results in the following error :

> >> >    Error Number : -2147023545 (0x80070547)

> >> >    Description : Automation error

> >> >    Configuration information could not be read from
>  the
>  domain
> >> >controller,     either because the machine is
>  unavailable, or access
> >> >has been denied.

> >> >The security error that occurs on the DC is as
>  follows :

> >> >Event Type:   Failure Audit
> >> >Event Source: Security
> >> >Event Category:       Account Logon
> >> >Event ID:     681
> >> >Date:         04/02/2003
> >> >Time:         10:12:47
> >> >User:         NT AUTHORITY\SYSTEM
> >> >Computer:     CRISDVLPDC
> >> >Description:
> >> >The logon to account: 100099
> >> > by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> >> > from workstation: GBCRISS193
> >> > failed. The error code was: 3221226020

> >> >The error code translates to User Logon with 'Change
>  Password at Next
> >> >Logon' Flagged.

> >> >This works no problem with the WinNT provider but I
>  have
>  to use the
> >> >LDAP provider.

> >> >Any thoughts or suggestions are most welcome

> >> >Paul Jackson

> >> >.

> >.

 
 
 

1. Cant SET 'user cant change password' AND 'password never expires'

I've sort of figured this problem out now, but something strange is
happening and i am interested to know why this certain peice of code doesnt
work.  The comments in the code explain.

set objUser = GetObject("WinNT://DOMAINNAME/" & sUserName & ",user")
nUserFlags = objUser.Get("UserFlags")
'########################
'###### this code doesnt work
' set user cant change password
'objUser.Put "UserFlags", nUserFlags OR &H00040
' set password never expires
'objUser.Put "UserFlags", nUserFlags OR &H10000
'objUser.SetInfo
'########################

'########################
'###### this code does work
' set user cant change password  and set password never expires
'objUser.Put "UserFlags", nUserFlags OR &H00040 OR &H10000
'objUser.SetInfo
'########################

I used the code here to help:
http://www.15seconds.com/issue/011127.htm
So it should be possible not to do all on one line.  btw there is a bug in
that code - he forgot to put in a .setinfo so looks like it was never
tested?  I have tried putting in XOR's like the author suggests (but doesnt
actually do!) and it makes no difference.

Thanks,

Paul

2. Welcome to comp.unix.shell [Frequent posting]

3. Changing User Password when set to Change at next logon

4. DEIMOS DESIGN STOP M&M PPC & pull out o

5. Change 'Administrator' password in 'Active Directory users'

6. MAIL FROM:<> & check_mail ruleset

7. user must change password at next logon want to get(retrevie)data about thisattr

8. Windows NT 4 Internet and Wan network access problem

9. User Must Change Password at Next Logon

10. Remove 'User cannot change Password' in AD

11. User must change password at next logon

12. Setting "User must change password at next logon"

13. Using ADSI to set "User must change password at next logon"