locked
Allow a user to change their own password RRS feed

  • Question

  • User-456194416 posted

    In our AD set up, I have added the "Change Password" permission for the SELF group for all of our regular domain users.  It was my understanding that this would allow a user that logged in as themselves, e.g. bind to the directory, to change their password as long as they provided the existing password.  This is not the case.  The error I keep getting is below:  

    0x32 (Insufficient access; 00000005: SecErr: DSID-031A0F44, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 )

    Access is encrypted over SSL and is using port 636.  Am I understanding this incorrectly?  Can anyone offer any suggestions?

    Thanks

    Rodney

    Monday, August 13, 2012 3:44 PM

Answers

  • User-1053269146 posted

    Just giving the permission to the users to change their password wont help. You need to go thorugh the passsword policy entirely. In AD, the in build rule wont allow the user to change the password whenever they want. Instead, some time interval is always defined. Overriting this can only be done by the Admin. Also you need to look into the security certificate for the same.

    Best methode to avoide such situation is to use some third party tool such as ADSS which will allow the users to reset their password on their own. This will decrease the downtime and will allow the Admin to focus on other important things.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, August 20, 2012 7:15 AM

All replies

  • User636753033 posted

    see if this helps with checking out the permission setting. http://msdn.microsoft.com/en-us/library/windows/desktop/aa746398(v=vs.85).aspx

    Wednesday, August 15, 2012 10:31 AM
  • User-456194416 posted

    Thanks for your answer.  I was hoping for a simpler solution with out having to do anything programatically.  Are there anyother security attributes, that you can think, of that need adjusting so  that a php script using ldap function could update an AD user's password?  Over SSL of course

    thanks

    Thursday, August 16, 2012 11:27 AM
  • User636753033 posted

    That page should also tell you how to check to see if the current permissons allow the user to update their password. You also might check to make sure the code is running under the user's credentials. To test you could code in the directoryentry the username and password of the account and try changing the password. If it still does not work, it would appear the user cannot change their password. Also once you made the change to their account did they log off and back on before trying to change their password?

    Also see the link in Answer 2 on this page http://serverfault.com/questions/89492/users-cant-change-passwords-in-active-directory-using-ldaps and see notes in Answer 1 here http://stackoverflow.com/questions/11178481/ldap-changing-user-password-on-active-directory. Both mention something about having to delete the old password first.

    Thursday, August 16, 2012 7:06 PM
  • User-1053269146 posted

    Just giving the permission to the users to change their password wont help. You need to go thorugh the passsword policy entirely. In AD, the in build rule wont allow the user to change the password whenever they want. Instead, some time interval is always defined. Overriting this can only be done by the Admin. Also you need to look into the security certificate for the same.

    Best methode to avoide such situation is to use some third party tool such as ADSS which will allow the users to reset their password on their own. This will decrease the downtime and will allow the Admin to focus on other important things.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, August 20, 2012 7:15 AM
  • User-456194416 posted

    None of the options mentioned are working. plyushagrawal:  usinga third-party application to allow a user to update their own password is exactly what I am trying to accomplish.  I have a php program running on a redhat-linux server that is connecting to AD(ldap) over SSL and is binding successfully as the AD user.  The problem is that when they try to update their passwords through the web interface provided AD is kicking back with the error:

     0x32 (Insufficient access; 00000005: SecErr: DSID-031A1190, problem 4003 (INSUFF_ACCESS_RIGHTS)

    this is confusing to me as permission has been given in AD to allow the user to update their passwords

    Monday, August 27, 2012 4:37 PM