Page 4 - Modifying Active Directory passwords through PHP and IIS

An Active Directory server is a domain controller running Windows 2000 Server or greater. Windows XP is not a server operating system and therefore cannot serve an Active Directory domain structure.

As an MCSE, I can help you setup Active Directory if you have a machine running Windows 2000 Server...

Hmm in that case maybe my sysadmin at work could help me out, I'm on a Windows Networks I do believe running Windows 2003 server would that work?

Yes, Windows Server 2003 will run Active Directory, except Web Edition (but of course, it can be a member of an Active Directory domain). All other editions (Standard, Enterprise, SBS) will run it.

I doubt any system administrator will allow an employee to toy with the Active Directory infrastructure. It's a big deal. You can get an evaluation version of Windows Sever 2003 from Microsoft for free (download), though.

As I mentioned, I will be glad to help you with Active Directory (email, messanger), but I think we should keep is out of this thread since it will be off topic...

Ok I just got the info I need to connect to it, I of course only can edit my own info and a test account but should be usefull enough.



Normally no but I work with the guy we are friends. I'm the progammer he's the admin so we work on differnt things when needed.

I'll let you konw if I fine anything out

I think the only problem we have is encoding the password correctly. We have done EVERYTHING ELSE correctly (certificates, ports, etc). I wonder if this will work:



I will try it after work unless someone else tries it first...

excatly what I'll be trying out

Here's a little more info, in case it helps anyone:

The syntax of the unicodePwd attribute is octet-string; however, the directory service expects that the octet-string will contain a UNICODE string (as the name of the attribute indicates). This means that any values for this attribute passed in LDAP must be UNICODE strings that are BER-encoded (Basic Encoding Rules) as an octet-string. In addition, the UNICODE string must begin and end in quotes that are not part of the desired password.

There are two possible ways to modify the unicodePwd attribute. The first is similar to a normal "user change password" operation. In this case, the modify request must contain both a delete and an add operation. The delete operation must contain the current password with quotes around it. The add operation must contain the desired new password with quotes around it.

The second way to modify this attribute is analogous to an administrator resetting a password for a user. In order to do this, the client must bind as a user with sufficient permissions to modify another user's password. This modify request should contain a single replace operation with the new desired password surrounded by quotes. If the client has sufficient permissions, this password become the new password, regardless of what the old password was.

It would be easier to use the second meathod, so when you are playing with this make sure the user you are using to open the LDAP connection is a member of the Administrators, Domain Admins, or Schema Admins group.

Oh, this tool may be useful in checking your work. Usage: stringconverter \"New_Password\" /encode /unicode

I sent an email to someone who posted on PHP.net on how to write to the unicodePwd (which I posted here http://forums.devshed.com/showpost....00&postcount=50), asking if it really worked. Anyway, here's the email:

I've been trying that don't think I have the permission level lets see if I can get a test account with higher access

I will try it here pretty soon, and will report my results...

How are you logging into ldap? With SSL right? What excatly are you using? Because right now I think that's my problem, if I try port 636 it doesn't connect (with PHP but with ldapAdmin it connects fine) is there a certificate I have to add?