Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

Active Directory Password Change RESETANDCHANGEPASSWRDJSON

Ches
New Contributor III
New Contributor III

Hi,

I have an Active Directory endpoint configured in Saviynt.

I am looking to change the password of an account in Active Directory during a user update rule.

I have an application password policy configured in Saviynt, which meets my AD requirements. I have this policy configured in the security system 'Policy Rule'.

I also have a configured 'RESETANDCHANGEPASSWRDJSON' on the connection.

The User update rule logic is correct and creates a Change Password task as expected. But this task is what is failing. This is intermittent and sometimes will work, sometimes will fail. I cannot locate the issue.

Password Policy:

Ches_0-1726146927450.png

RESETANDCHANGEPASSWRDJSON (I have tried many variations, all with the same result):

{
  "RESET": {
    "pwdLastSet": "-1"
  },
  "CHANGE": {
    "pwdLastSet": "-1"
  }
}

The error code:

Error while change password operation for account-REDACTED in AD - [LDAP: error code 53 - 0000052D: SvcErr: DSID-031A12E8, problem 5003 (WILL_NOT_PERFORM), data 0 ]

 

Other things to note:

This connection is operating over port 636.

I have tried various password policy changes, making it extremely complex, but yet the same issues occur.

This is intermittent, sometimes the password change occurs, but mostly it seems to fail. It's random?

I have tried various different RESETANDCHANGEPASSWRDJSON, with the same result..

If I change the password via the 'Change Password' -> 'Reset Account Password For Others' and select the endpoint, manually type a password. (Remember the Saviynt Password policy I configured still applies here) Then the password change works flawlessly. It creates the task and the password changes, as expected.

 

Why is this occurring and does anyone know what the issue is?

 

Many thanks,

3 REPLIES 3

rushikeshvartak
All-Star
All-Star

Potential Causes

  1. Password Policy Mismatch: Ensure that the password policy configured in Saviynt matches exactly with the Active Directory password policy. The RESETANDCHANGEPASSWRDJSON payload you’ve provided (pwdLastSet: "-1") should reset the password, but if there are mismatches between Saviynt and AD policies, it can lead to issues.

  2. Password Complexity Requirements: Even though you have configured a password policy in Saviynt, the complexity requirements must be adhered to as per AD’s policy. If the generated password does not meet AD’s complexity requirements, the operation will fail.

  3. Port and Encryption Issues: Operating over port 636 indicates you're using LDAPS (LDAP over SSL). Ensure that the SSL/TLS certificates are valid and properly configured. Any issues with SSL/TLS could intermittently affect operations.

  4. AD Replication Delays: Sometimes, AD replication issues between domain controllers can cause intermittent failures. Ensure that all domain controllers are in sync and that there are no replication delays or issues.

  5. Service Account Permissions: Verify that the service account used by Saviynt has sufficient permissions to reset and change passwords for the user accounts. Lack of permissions or intermittent network issues can cause random failures.


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Ches
New Contributor III
New Contributor III

Hi, thanks for the reply.

In response

  1. Password Policy Mismatch: The policy should match closely. If anything, The Saviynt configured policy is stricter. I note your point regarding (pwdLastSet: "-1"). There seems to be some differences on the forums regarding this value. Either -1 or 0. Both have the same behaviour, it seems.

  2. Password Complexity Requirements: The policy should match closely. If anything, The Saviynt configured policy is stricter.

  3. Port and Encryption Issues: The connection etc is valid and there are no known issues here.

  4. AD Replication Delays: Understandable, however no other issues relating to Saviynt and AD have been observed. Hence why manual password changes from Sav also work as expected.

  5. Service Account Permissions: Permissions are correct, Hence why manual password changes from Sav also work as expected.

Review and align the password policies between Saviynt and AD. Ensure that both systems have compatible rules for password complexity, length, expiration, etc. Document the discrepancies and adjust policies where feasible to achieve consistency.


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.