Click HERE to see how Saviynt Intelligence is transforming the industry. |
04/12/2022 01:16 PM
Hi Team,
We are using SSM V5.5SP3. We have below query related to password.
Scenario:-
As part of AD service account provisioning, we need to make AD password as user cannot change password.
We have tried by adding below mappings in our AD connection but no luck and error details are below.
Mapping:
"cannotChangePassword": "1",
"CannotChangePassword": "1",
Error details:
Error while creating account in AD - [LDAP: error code 16 - 00000057: LdapErr: DSID-0C090E48, comment: Error in attribute conversion operation, data 0, v2580]
javax.naming.directory.NoSuchAttributeException: [LDAP: error code 16 - 00000057: LdapErr: DSID-0C090E48, comment: Error in attribute conversion operation, data 0, v2580];
Is there anyway to achieve this?
Regards,
Adithya
Solved! Go to Solution.
04/12/2022 02:46 PM
Hi Adithya,
Is CannotChangePassword an attribute that Active Directory supports ?
As far as I know, there isnt an attribute exposed to do that but is controlled by the userAccountControl values, and you cannot set it directly.
Here's some I found for your reading.
Regards,
Avinash Chhetri
04/12/2022 02:46 PM
Hi Avinash,
Thank you very much for your reply.
Actually the complete requirement is "As part of AD service account provisioning, we need to set AD password as user cannot change password (Password should be fixed), user must not change password at next logon (It shouldn’t prompt for password change) and password never expires."
By adding below mappings into our JSON, we were able to make password as user must not change password at next logon (It shouldn’t prompt for password change) and password never expires.
"userAccountControl": "66048",
"pwdLastSet": "-1",
But as per doc shared by you, to make PASSWD_CANT_CHANGE, userAccountControl is 64 but we are already mapped userAccountControl with 66048.
Is there any way to keep two userAccountControl like (66048 and 64) while provisioning the account?
Could you please share any thoughts?
Kind regards,
Adithya
04/12/2022 02:46 PM
Hi Adithya,
The UAC flags are cumulative in nature. Trying adding relative flag decimal values and send the cumulative value to AD to do the required actions.
Regards,
Sahaj