Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

Unable to generate Active Directory Random password

SPAL
New Contributor
New Contributor


Hi Team,

Problem Statement: Create new AD account with random password to be sent to users Manager as per password policy.

We are not able to generate Active Directory random password  as we are getting below error:

Relevant Logs:

"2024-05-15T15:15:38.610+00:00","ecm-worker","ldap.SaviyntGroovyLdapService","quartzScheduler_Worker-8-87g5j","ERROR","Error while creating account in AD - [LDAP: error code 53 - 0000052D: SvcErr: DSID-031A124C, problem 5003 (WILL_NOT_PERFORM), data 0"
"2024-05-15T15:15:38.676+00:00","ecm-worker","","null-87g5j",""," ]"
"2024-05-15T15:15:38.676+00:00","ecm-worker","","null-87g5j","","javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 0000052D: SvcErr: DSID-031A124C, problem 5003 (WILL_NOT_PERFORM), data 0"

Password policy: min length==> 15 characters

Connection Configuration:

SETRANDOMPASSWORD: TRUE

CREATEACCOUNTJSON:
{
"accountExpires": "0",
"objectClass": [
"top",
"person",
"organizationalPerson",
"user"
],
"pwdLastSet": "0",
"manager": "${managerAccount==null?'':managerAccount.accountID}",
"displayname": "${user.firstname} ${user.lastname}",
"givenName": "${user.firstname}",
"department": "${user.departmentname}",
"sn": "${user.lastname}",
"userPrincipalName": "${user.email}",
"sAMAccountName": "${user.username}",
"mail": "${user.email}",
"Description": "${user.jobcodedesc}",
"employeeID": "${user.employeeid}",
"initials": "${user.middlename}",
"l": "${user.city}",
"physicalDeliveryOfficeName": "${user.location}",
"PostalCode": "${user.regioncode}",
"st": "${user.state}",
"Title": "${user.title}",
"UnicodePwd": "Welcome@1234567",
"userAccountControl": "512"
}

Things Tried:

  1. When we hardcode the password{"UnicodePwd" : "Welcome@1234567"} we are able to provision the user account irrespective of useraccountcontrol as 512 or 544.
  2. When we do not provide any password attribute{neither UnicodePwd nor userPassword} in the createaccountjson and useraccountrol = 512 ==> Account is not provisioned
  3. When we do not provide any password attribute{neither UnicodePwd nor userPassword} in the createaccountjson and useraccountrol = 544 ==> Account is provisioned successfully with passowrd as '2j+E''.
  4. Password attribute used in Email Template is '${task.password}'
  5. Remaining things that we have tried is mentioned below:

 

Password Attribute

Value

UserAccountControl

Result

"UnicodePwd"

"Welcome@1234567"

512/544

Worked

"UnicodePwd"

 "${randompassword}"

512/544

Not worked

"UnicodePwd"

"${randomPassword}"

512/544

Not worked

"userPassword"

"${randomPassword}"

512/544

Not worked

"userPassword"

"Welcome@1234567"

512/544

Not worked

 

Password Policy has been defined in the Policy Rule in the Security System:

Attribute Name

Attribute Value

Policy Name

AOBApplicationPasswordPolicy

Policy Description

Password Policy for Active Directory Application

Policy Scope

APPLICATION

Minimum Numeric Characters

1

Minimum Special Character

1

Minimum Alpha Numeric Characters

1

Minimum Alphabet Characters

1

Minimum Uppercase Characters

1

Minimum Lowercase Characters

1

Disallow Last Password 

5

Use Blacklist Dictionary 

NO

Regex Description

Password did not match as per Regex

Minimum Length

15

Expire After (Days) 

360

Please let us know what needs to be done here as we are stuck generating random password for AD Account Creation. 

Regards,

Saksham

3 REPLIES 3

rushikeshvartak
All-Star
All-Star

For creating account with password connection should be ldaps and not ldap (389)


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Hi @rushikeshvartak ,

Thanks for your reply, We are using ldaps with 636 and not LDAP with 389.

Regards,

Saksham

Password Complexity Requirements

Ensure that the generated password complies with AD's password policies, which include:

  • Minimum length
  • Complexity requirements (e.g., inclusion of uppercase, lowercase, numbers, and special characters)

Your current policy seems comprehensive, but ensure the random password generation logic meets these requirements.


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.