Knowledge Base

Support Policies

Change password with AD LDS

Affected Versions: All

Cause:
By default, AD LDS requires that you perform password operations over a secure channel. If you try to reset a password over a non-secure channel (e.g., a default LDAP connection through LDP), you'll receive the error message: "Illegal modify operation. Some aspect of the modification is not permitted."

Resolution:
To resolve this problem, you should use an LDAP over Secure Sockets Layer (SSL) connection (which will require a certificate in place) to secure the connection.

Another option is to disable the secure-channel requirement so that you can reset the password over a non-secure, you should not use the option for your production environment. This method has security problems because the password can be read from the network.

To disable the secure-channel requirement, perform steps below.

  1. Start the ADSI Edit tool and connect to the "Configuration partition" of the AD LDS instance.
  2. Navigate to CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,CN=\{GUID of the AD LDS instance}.
  3. Right-click "CN=Directory Service" and select Properties.
  4. Double-click the dSHeuristics attribute.
  5. Set the value to 0000000001001 and click OK, Click OK to the CN=Directory Service properties box.
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.