Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

Unable to create account in AD with SetRandompassword as False

piyushm
Regular Contributor II
Regular Contributor II

I am trying to create a service account in AD with SetRandompassword set to FALSE. The task is failing with LDAP error code 53-SVCErr: DSID-031A126A, problem 5003.

In the createaccountjson I am passing the userPassword using the dynamic attribute where user can I enter the password(as per password policy). The requirement is to not use randompassword.

Please let me know if anyone has faced this issue.

20 REPLIES 20

rushikeshvartak
All-Star
All-Star

Is it following AD Policy of AD. please share json


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

piyushm
Regular Contributor II
Regular Contributor II

Unable to copy the json here. But I am using "userPassword": ${password} (password is dynamic attribute) and all other mappings are as per connector guide.

The same json works if setrandompassword is set to TRUE. The account gets created in AD.

And I can see the userPassword attribute value in AD set to the password entered in ARS form. But when I bind using that password in AD it fails. So Is it possible that AD is not using userPassword attribute and storing the random generated password  internally?

@piyushm,

Try "UnicodePwd": ${password} instead of "userPassword": ${password} 

 

 

Regards,
Avinash Chhetri

piyushm
Regular Contributor II
Regular Contributor II

@avinashchhetri @rushikeshvartak - Thank you. I am able to create account with "UnicodePwd".

However, when I am using thesame in RESETANDCHANGEPASSWORDJSON, It is not working.

Meaning, when I change password using Change Password for Service Account Tile, the task gets completed but the new pwd is not working in AD. I only see pwdlastset as 0 in AD and whenchanged attribute updated to task completion timestamp.

I am using below:

{

"RESET":{
"pwdLastSet":"0",
"title":"password reset"},
"CHANGE":{

"UnicodePwd": {task.password},
"pwdLastSet":"-1",

"title":"password changed"}
}

 

@piyushm,

You need not set the UnicodePwd parameter in the RESETANDCHANGEPASSWORDJSON.

This functionality will trigger when you either reset password on behalf of others or change it for yourself, in both cases you provide the password explicitly. The internal logic picks it from the task table and send it across to the target instance.

 

 

Regards,
Avinash Chhetri

{"RESET": {"pwdLastSet": "0","title": "password reset"},"CHANGE": {"pwdLastSet": "-1","lockoutTime": 0,"title": "password changed"}}


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

{
"cn" : "${cn}",
"givenName" : "${user.firstname}",
"objectclass" : [
"top",
"person",
"organizationalPerson",
"user"
],
"pwdLastSet" : "0",
"samaccountname" : "${samaccountname}",
"sn" : "${user.lastname}",
"unicodepwd" : "SaviyntForum@123qazxswedc",
"userPrincipalName" : "${userPrincipalName}",
"extensionAttribute1":"To be Deleted"
}


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

piyushm
Regular Contributor II
Regular Contributor II

It works only if I pass "pwdLastSet":"-1" for RESET.  CHANGE paramenter does not make any update. It just resets the lastpwdset to 0 even if I pass it as -1.

Note that it is for Service Account.

{

"RESET":{
"pwdLastSet":"-1",
"title":"password reset"},
}

@piyushm,

How are you resetting the password for the service account ? from the UI or the API ?

Also it would make sense to start a new thread for this question as your original question seems to now have been answered.

 

 

 

Regards,
Avinash Chhetri

piyushm
Regular Contributor II
Regular Contributor II

@avinashchhetri 

I am resetting the password from UI. I will start a new thread if needed.

JohnLawson
Regular Contributor
Regular Contributor

Did you ever get a resolution for this? I am having a similar problem.

piyushm
Regular Contributor II
Regular Contributor II

Which json are you referring to?

For RESETANDCHANGEPASSWRDJSON, I used 

{
"RESET":{
"pwdLastSet":"-1"
}

}

 

For Createaccountjson it worked if I set these 2 parameters while creating account.

 

"accountExpires":"${if(ServiceAccountOwnerMap.ServiceAccountType.equals('Service Account')) {} else {0}}",
"pwdLastSet":"${if(ServiceAccountOwnerMap.ServiceAccountType.equals('Service Account')) {-1} else {0}

JohnLawson
Regular Contributor
Regular Contributor

The CHANGE parameter in the RESETANDCHANGEPASSWORDJSON. Were you able to get that working?

piyushm
Regular Contributor II
Regular Contributor II

You don't need CHANGE parameter. The RESET parameter alone does the job.

we are trying to reset the password via update rule with change password json but below is not working 

{
"RESET":
{"pwdLastSet":"0",
"title":"password reset"},"CHANGE":{"UnicodePwd": "!G0t2L0v3Th1s!!"}
}
error :
Error while change password operation for account-i10214 in AD - [LDAP: error code 53 - 0000052D: SvcErr: DSID-031A12E8, problem 5003 (WILL_NOT_PERFORM), data 0 ]

 

We don't set the password in the RESETANDCHANGEPASSWRDJSON but we've seen that error before when a password doesn't comply with the AD password policy like length or complexity.

Do you have SSL connection with AD? Looks like not based on error code.

Also I don't think UnicodePwd mapping is supported in RESETANDCHANGEPASSWORDJSON 


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

SSL is working fine.

this is working now .. the above is a policy error.

{
"RESET":
{"pwdLastSet":"-1"},"CHANGE":{"UnicodePwd": "W3lC@me${user.startdate.format("ddMM")}${user.username.substring(user.username.length()-2)}#"}
}

our requirement is to update the password without making the pwdLastSet=0 , so when i tried with pwdLastSet=-1 , it updated the password without resetting to 0. so the pwdLastSet value would be a currenttimestamp.