Last post Aug 27, 2012 04:37 PM by roliver0968
Aug 13, 2012 03:44 PM|roliver0968|LINK
In our AD set up, I have added the "Change Password" permission for the SELF group for all of our regular domain users. It was my understanding that this would allow a user that logged in as themselves, e.g. bind to the directory, to change their password
as long as they provided the existing password. This is not the case. The error I keep getting is below:
0x32 (Insufficient access; 00000005: SecErr: DSID-031A0F44, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 )
Access is encrypted over SSL and is using port 636. Am I understanding this incorrectly? Can anyone offer any suggestions?
Aug 15, 2012 10:31 AM|gww|LINK
see if this helps with checking out the permission setting.
Aug 16, 2012 11:27 AM|roliver0968|LINK
Thanks for your answer. I was hoping for a simpler solution with out having to do anything programatically. Are there anyother security attributes, that you can think, of that need adjusting so that a php script using ldap function could update an AD
user's password? Over SSL of course
Aug 16, 2012 07:06 PM|gww|LINK
That page should also tell you how to check to see if the current permissons allow the user to update their password. You also might check to make sure the code is running under the user's credentials. To test you could code in the directoryentry the username
and password of the account and try changing the password. If it still does not work, it would appear the user cannot change their password. Also once you made the change to their account did they log off and back on before trying to change their password?
Also see the link in Answer 2 on this page
http://serverfault.com/questions/89492/users-cant-change-passwords-in-active-directory-using-ldaps and see notes in Answer 1 here
http://stackoverflow.com/questions/11178481/ldap-changing-user-password-on-active-directory. Both mention something about having to delete the old password first.
Aug 20, 2012 07:15 AM|piyushagrawal|LINK
Just giving the permission to the users to change their password wont help. You need to go thorugh the passsword policy entirely. In AD, the in build rule wont allow the user to change the password whenever they want. Instead, some time interval is always
defined. Overriting this can only be done by the Admin. Also you need to look into the security certificate for the same.
Best methode to avoide such situation is to use some third party tool such as
ADSS which will allow the users to reset their password on their own. This will decrease the downtime and will allow the Admin to focus on other important things.
Aug 27, 2012 04:37 PM|roliver0968|LINK
None of the options mentioned are working. plyushagrawal: usinga third-party application to allow a user to update their own password is exactly what I am trying to accomplish. I have a php program running on a redhat-linux server that is connecting to
AD(ldap) over SSL and is binding successfully as the AD user. The problem is that when they try to update their passwords through the web interface provided AD is kicking back with the error:
0x32 (Insufficient access; 00000005: SecErr: DSID-031A1190, problem 4003 (INSUFF_ACCESS_RIGHTS)
this is confusing to me as permission has been given in AD to allow the user to update their passwords