Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

How can we make AD password as user cannot change password?

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on November 11 2021 at 18:30 UTC

Hi Team,

We are using SSM V5.5SP3. We have below query related to password.

Scenario:-

As part of AD service account provisioning, we need to make AD password as user cannot change password.

We have tried by adding below mappings in our AD connection but no luck and error details are below.

Mapping:

"cannotChangePassword": "1",

"CannotChangePassword": "1",

Error details:

Error while creating account in AD - [LDAP: error code 16 - 00000057: LdapErr: DSID-0C090E48, comment: Error in attribute conversion operation, data 0, v2580]

javax.naming.directory.NoSuchAttributeException: [LDAP: error code 16 - 00000057: LdapErr: DSID-0C090E48, comment: Error in attribute conversion operation, data 0, v2580];

Is there anyway to achieve this?

Regards,

Adithya

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.
3 REPLIES 3

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on November 11 2021 at 21:30 UTC

Hi Adithya,


Is  CannotChangePassword an attribute that Active Directory supports ?


As far as I know, there isnt an attribute exposed to do that but is controlled by the userAccountControl values, and you cannot set it directly.


Here's some I found for your reading.


https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-...





Regards,

Avinash Chhetri


This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on November 12 2021 at 03:29 UTC

Hi Avinash,


Thank you very much for your reply.


Actually the complete requirement is "As part of AD service account provisioning, we need to set AD password as user cannot change password (Password should be fixed), user must not change password at next logon (It shouldn’t prompt for password change) and password never expires."


By adding below mappings into our JSON, we were able to make password as user must not change password at next logon (It shouldn’t prompt for password change) and password never expires.


"userAccountControl": "66048",

"pwdLastSet": "-1",


But as per doc shared by you, to make PASSWD_CANT_CHANGE, userAccountControl is 64 but we are already mapped userAccountControl with 66048.


Is there any way to keep two userAccountControl like (66048 and 64) while provisioning the account?


Could you please share any thoughts?


Kind regards,

Adithya

 

 

 

 

 

 

 

 

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on November 12 2021 at 04:08 UTC

Hi Adithya,


The UAC flags are cumulative in nature. Trying adding relative flag decimal values and send the cumulative value to AD to do the required actions.


https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-...


Regards,

Sahaj

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.