active-directorypasswordsadsiadldsuser-object

AD LDS User Password Management in ADSI


I am having some issues managing users (user type pbjects) in AD LDS, specifically managing passwords. According to this article, i should be able to set password for user object by going to right click -> Reset password. If I do that, the dialog comes up, and I am able to type in passwords, however "userPassword" field is not updated. The only way to do so is to edit userPassword field manually, which isn't preferable since one can only use hex/decimal characters to set value. Note that I did update dsHeuristics field in configuration, and i am assuming its working right since I can set password manually by editing userPassword field Anything that I am missing in my setup that I should check to make sure that I am able to set password field without manually editing userPassword field?


Solution

  • Active Directory will never show you any value in userPassword. That is by design.

    If dsHeuristics is set to allow the use of the userPassword attribute, it is really only a synonym for the real password attribute: unicodePwd. But likewise, AD will never show you a value for unicodePwd either.

    But rest assured that when you right-click -> Reset password, or successfully update unicodePwd via LDAP (or userPassword when dsHeuristics is set to allow it), the password is actually changed. You can test this by trying to authenticate with the account.