Beefy Boxes and Bandwidth Generously Provided by pair Networks
Don't ask to ask, just ask
 
PerlMonks  

Resolved: It does not change password in LDAP Windows 2012 R2

by francism8 (Novice)
on Feb 21, 2017 at 14:52 UTC ( #1182436=perlquestion: print w/replies, xml ) Need Help??
francism8 has asked for the wisdom of the Perl Monks concerning the following question:

Dear Perlmonks geeks,

I'm creating script which will do a password reset that will connect using LDAP in Windows 2012 R2. I have tried this below script and it work using Windows 2008 R2 LDAP connection but when I run this in Wndows 2012 R2 it says successful but the password did not change. Anyone using Windows 2012 LDAP connection to reset password? that can show how its done. Thanks

#!/usr/bin/perl -w # # changing user passwords in AD # use strict; use warnings; use Net::LDAP; # module needed to encode AD password use Unicode::String qw(utf8); # # ARGV is username password my $username = $ARGV[0]; my $passwd = $ARGV[1]; my $result; my $adsvr='twnlab.local'; my $adbinddn='cn=useradmin,ou=SERVICEDESK,ou=User,dc=twnlab,dc=local'; my $adpw='P@ssw0rd11'; # Connect to the AD server #my $ad=Net::LDAP->new($adsvr, version=>3, scheme=>'ldaps', port=>636, +) or die "can't connect to $adsvr: $@"); # For LDAP Windows 2008 R2 my $ad=Net::LDAP->new($adsvr, version=>3, scheme=>'ldap', port=>389,) +or die "can't connect to $adsvr: $@"); # For LDAP Windows 2012 R2 # Bind as Administrator $result=$ad->bind($adbinddn, password=>$adpw); if ($result->code) { LDAPerror ("binding",$result); exit 1; }; # check for username, get DN $result = $ad->search( base => "ou=User,ou=User,dc=twnlab,dc=local", filter => "(samAccountName=$username)", attrs => ['distinguishedName'] ); $result->code && die $result->error; if ($result->entries != 1 ) { die "ERROR: User not found in AD: $usern +ame" }; my $entry = $result->entry(0); # there can be only one my $dn = $entry->get_value('distinguishedName'); my $unicodePwd = utf8(chr(34).${passwd}.chr(34))->utf16le(); # change password entries etc. #$result = $ad->modify($dn, replace => {unicodePwd=> $unicodePwd,}); # +password change for 2008 AD $result = $ad->modify($dn, replace => {userPassword=> $unicodePwd,}); +#password change for 2012 AD $result->code && die $result->error; print "AD : SUCCESS: ${username} password changed.n"; $ad->unbind();

------------------------------------------------

Sharing the capture logs

When I execute the script it says SUCCESS in the local host windows.

C:\script\perl> changepassword.pl user1 P@ssw0rd1234 AD : SUCCESS: user1 password changed.n C:\script\perl>

and when checking in the event security logs at Active Directory Windows 2012 R2 Operating system security logs nothing showing for eventID: 4723,4724,627,628

4723 - An attempt was made to change an account's password 4724 - An attempt was made to reset an accounts password 627 - Change Password Attempt 628 - User Account password set

Replies are listed 'Best First'.
Re: It does not change password in LDAP Windows 2012 R2
by Marshall (Abbot) on Feb 22, 2017 at 07:11 UTC
    Hi francism8!

    I do not claim any significant knowledge of Windows 2012 R2 AD (Active Directory). However, I hope by asking a few (perhaps "dumb") questions, that you may be able to see something that I do not? Your code looks fundamentally sound to me (the flow and error checking appear to be ok). The main difference appears to be in how the 2 servers are configured.

    First, a lot changes happen by moving from LDAPS (Secure LDAP), port 636 in Win 2008 R2 to plain LDAP, port 389 in Win 2012. That direction is usually much easier than moving from a plain connection to an encrypted connection. I don't know why that change in connection protocol was done, but it appears to work.

    As a rather bizarre idea, I considered the idea that your code is actually "working" as written, although it is not achieving the desired result (actual password change).

    I do not know why you changed from setting "unicodePwd" to setting the "userPassword"? So I investigated that.

    I found this on a site that I do not want to advertise here, but:

    unicodePwd is the "real password attribute", That's what is used for user binds. It has a very specific formatting requirements. Whenever you set a value, it must be a unicode string enclosed in double quotes.

    userPassword is "switchable". It can be turned into a regular attribute, or it can be turned into a write-alias for unicodePwd. AD by default has it as a regular attribute. When userPassword is a write-alias for unicodePwd, it is written as a regular value, no unicode, no double-quotes. However, passwords can never be read.

    So one theory could be that you are successfully setting "userPassword" as a regular attribute. But that doesn't actually change the "unicodePwd" because AD (Active Directory) default for this field has not been configured as a write only alias for "unicodePwd". Essentially you change "userPassword", but it doesn't matter? There appear to be some formatting details when using the "unicodePwd" alias.

    If you are able to read "userPassword", that would indicate that it is not an alias for "unicodePwd" because "real passwords" cannot be read. Try it and see what happens.

    I looked at Microsoft site: unicodePwd attribute and this attribute appears to be the same between Win 2008 R2 and 2012 R2.

    Hope these questions help you.

      Dear Marshall,

      Thanks for bringing this to my attention and after scratching my head on what was the issue I read some forum in the PHP community that uses LDAP also for their code and they mentioned that it should be in secure connection in order to change the attributes in Ldap.

      This attribute is written by an LDAP Modify under the following restricted conditions. Windows 2000 operating system servers require that the client have a 128-bit (or better) SSL/TLS-encrypted connection to the DC in order to modify this attribute. On Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 Technical Preview operating system, the DC also permits modification of the unicodePwd attribute on a connection protected by 128-bit (or better) Simple Authentication and Security Layer (SASL)-layer encryption instead of SSL/TLS. In Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview, if the fAllowPasswordOperationsOverNonSecureConnection heuristic of the dSHeuristics attribute (section 6.1.1.2.4.1.2) is true and Active Directory is operating as AD LDS, then the DC permits modification of the unicodePwd attribute over a connection that is neither SSL/TLS-encrypted nor SASL-encrypted. The unicodePwd attribute is never returned by an LDAP search.

      and so after reconfiguring the Windows 2012 to enable the "Active Directory Certificate Services feature" and TADA.. it works...

      and so I use this code

      $result = $ad->modify($dn, replace => {"unicodePwd" => $unicodePwd}); my $ad=Net::LDAP->new($adsvr, version => 3, scheme => 'ldaps', port=> +636,) or die "can't connect to $adsvr: $@";

      Hope someone can help this in future. We can mark this as resolve and can be close :D.

        Dear Francism08,

        There's another way to this instead of installing the "Active Directory Certificate Services Feature" you can just import SSL certificate in the "Trusted Root Certification Authorityies" below is the step to create self signed certificate in your Windows 2012 R2 AD Server powershell running as Administrator without the need of enabling the AD CS feature.

        Step1: New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname win2012r2t3.dev.fsmendoza.com

        Step2: $pwd = ConvertTo-SecureString -String 'P@ssw0rd' -Force -AsPlainText

        Step3: Export-PfxCertificate -cert cert:\localMachine\my\E72FD6F54234EDC717420F4C9FF8DBD68093D85F -FilePath c:\tmp\cert.pfx -Password $pwd

        Note:The E72FD6F54234EDC717420F4C9FF8DBD68093D85F - is the number that will show in Step 1:

        Step4: double click teh cert.pfx that was created in c:\tmp and install in "Trusted Root Certification Authorityies" and done.

        This one required reboot of the server to apply.

        Thanks
Re: Resolved: It does not change password in LDAP Windows 2012 R2
by fsmendoza (Novice) on Feb 24, 2017 at 06:11 UTC

    To add: This is the event logs you will see at Windows 2012 R2 if the code was successful in changing the username password

    you can filter it by this numbers in Windows Security event logs search for: 4662,4723,4724,627,628,4771,4738

    4662 - An operation was performed on an object

    4723 - An attempt was made to change an account's password

    4724 - An attempt was made to reset an accounts password

    627 - Change Password Attempt

    628 - User Account password set

    4771 - Kerberos pre-authentication failed

    4738 - A user account was changed

    =========================================

    Log Name: Security Source: Microsoft Windows Security Event ID: 4738 Keywords: Audit Success

    ============================================================

    user account was changed. Subject: Security ID: devfsmendoza\useradmin Account Name: useradmin Account Domain: devfsmendoza Logon ID: 0x65F62 Target Account: Security ID: devfsmendoza\user1 Account Name: user1 Account Domain: devfsmendoza Changed Attributes: SAM Account Name: - Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: 24/2/2017 1:55:09 PM Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
Re: It does not change password in LDAP Windows 2012 R2
by francism8 (Novice) on Feb 22, 2017 at 03:50 UTC

    Sharing the capture logs

    When I execute the script it says SUCCESS in the local host windows.

     C:\script\perl> changepassword.pl user1 P@ssw0rd1234 AD : SUCCESS: user1 password changed.n C:\script\perl>

    and when checking in the event security logs at Active Directory Windows 2012 R2 Operating system security logs nothing showing for eventID: 4723,4724,627,628

     4723 - An attempt was made to change an account's password 4724 - An attempt was made to reset an accounts password 627 - Change Password Attempt 628 - User Account password set
      Hi There

      I tried the script but i keep getting the error 00002077: SvcErr: DSID-03190DC9, problem 5003 (WILL_NOT_PERFORM), data 0. We are running a hybrid AD environment where some of our servers are Windows server 2003 and some have been migrated to Windows Server 2012 R2.

      Hope if some ideas could be shared.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://1182436]
Approved by Eily
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others lurking in the Monastery: (5)
As of 2018-08-21 23:07 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    Asked to put a square peg in a round hole, I would:









    Results (204 votes). Check out past polls.

    Notices?