Modify the Password of an AD LDS User

Applies To: Windows Server 2008

You can set and modify passwords for Active Directory Lightweight Directory Services (AD LDS) security principals over Secure Sockets Layer (SSL) connections (by using Ldp.exe) or over encrypted, non-SSL connections (by using ADSI Edit or Ldp.exe). To establish an SSL connection to AD LDS, you must install certificates on the computer that is running AD LDS and on all the clients that do not trust the certification authority (CA) that issued the AD LDS server’s certificate. To make SSL connections to an AD LDS instance, you must use Ldp.exe; ADSI Edit does not support SSL connections.

By default, an AD LDS instance automatically enforces any local or domain password policies that exist. If you create a new AD LDS user, and if you assign a password to that user that does not meet the requirements of the password policy that is in effect, the user will be disabled.

By default, AD LDS supports and enforces the password policy settings and account lockout settings that are provided by Windows Server 2008, including the following:

Minimum age

Maximum age

Complexity

History

Too many failed logon attempts

Disabling and enabling of accounts

If the server on which AD LDS is running belongs to a workgroup, the server's local password policy settings and account lockout settings are implemented. If the server on which AD LDS is running belongs to a domain, the password policy settings and account lockout settings from Active Directory Domain Services (AD DS) are implemented.

Membership in the Administrators group of the AD LDS instance is the minimum required to complete these procedures. By default, the security principal that you specify as the AD LDS administrator during AD LDS setup becomes a member of the Administrators group in the configuration partition.

Modifying the password of an AD LDS user

  • Using ADSI Edit

  • Using Ldp over an encrypted, non-SSL connection

  • Using Ldp over an SSL connection

Using ADSI Edit

To modify the password of an AD LDS user using ADSI Edit

  1. To open Active Directory Service Interfaces (ADSI) Edit, on a computer with the AD LDS server role installed, click Start, click Administrative Tools, and then click ADSI Edit.

  2. Connect and bind to the directory partition that contains the AD LDS user for whom you want to modify the password. For more information, see Manage an AD LDS Instance Using ADSI Edit.

  3. Browse to the directory object representing the AD LDS user, and then right-click the directory object.

  4. Click Reset password, and then type a password for the user in New password and in Confirm password.

Using Ldp over an encrypted, non-SSL connection

To modify the password of an AD LDS by user using Ldp over an encrypted, non-SSL connection

  1. To open Ldp, click Start, click Run, type ldp, and then click OK.

  2. On the Options menu, click Connection Options.

  3. In Option Name, click LDAP_OPT_ENCRYPT.

  4. In Value, type 1, click Set, and then click Close.

  5. Connect and bind to the AD LDS instance, and then view the directory partition that contains the AD LDS user for whom you want to modify a password. For more information, see Manage an AD LDS Instance Using Ldp.exe.

  6. Right-click the AD LDS user, and then click Modify.

  7. In Attribute, type userpassword, and then, in Value, type a password for the account.

  8. Click Enter, and then click Run. The details pane displays a message similar to the following:

    ***Call Modify...
    ldap_modify_s(ld, 'CN=Mary Baker,O=Microsoft,C=US',[1] attrs);
    Modified "CN=Mary Baker,O=Microsoft,C=US".
    

Additional Considerations

  • By default, an AD LDS instance that is running on Windows Server 2008 automatically enforces any local or domain password policies. If you set a password for an AD LDS user that does not meet the requirements of the password policy in effect, the user account will be disabled.

  • The AD LDS user for whom you modify the password must use the new password the next time that the user logs on.

  • This procedure applies to any object class that is used as a security principal in AD LDS. Any object class in AD LDS can be used as a security principal, as long as the object class definition contains the msDS-bindableobject auxiliary class and the unicodePwd attribute.

  • The user, person, inetOrgPerson, and OrganizationalPerson object classes are not available by default in the AD LDS schema. You must first import them. For more information, see Import the User Classes Supplied with AD LDS.

Using Ldp over an SSL connection

To modify the password of an AD LDS user by using Ldp over an SSL connection

  1. Install a server certificate on the computer where the AD LDS instance is running, and install a matching client certificate on the computer from which you administer the AD LDS instance if this client computer does not trust the CA that issued the server certificate. For more information, see Appendix A: Configuring LDAP over SSL Requirements for AD LDS.

  2. To open Ldp, click Start, click Run, in Open type ldp, and then click OK.

  3. Connect and bind to the AD LDS instance (select SSL in the Connect dialog box) that contains the user for whom you want to modify a password. For more information, see Manage an AD LDS Instance Using Ldp.exe.

  4. Right-click the AD LDS user, and then click Modify.

  5. In Attribute, type userpassword, and then in Value, type a password for the account.

  6. Click Enter, and then click Run. The details pane displays a message similar to the following:

    ***Call Modify...
    ldap_modify_s(ld, 'CN=Mary Baker,OU=Beta
    users,O=Microsoft,C=US',[1] attrs);
    Modified "CN=Mary Baker,OU=Beta users,O=Microsoft,C=US".
    

Additional Considerations

  • By default, an AD LDS instance that is running on Windows Server 2008 automatically enforces any local or domain password policies. If you set a password for an AD LDS user that does not meet the requirements of the password policy in effect, the user account will be disabled.

  • If the AD LDS user is currently logged on, that user must log off for the new password to take effect.

  • This procedure applies to any object class that is used as a security principal in AD LDS. Any object class in AD LDS can be used as a security principal, as long as the object class definition contains the SecurityPrincipal static auxiliary class and the unicodePwd attribute.

  • The user, person, inetOrgPerson, and OrganizationalPerson object classes are not available by default in the AD LDS schema. You must import them first. For more information, see Import the User Classes Supplied with AD LDS .