Set or Modify the Password of an AD LDS User

Applies To: Windows Server 2008

You can set and modify passwords for Active Directory Lightweight Directory Services (AD LDS) security principals over Secure Sockets Layer (SSL) connections (using Ldp.exe) or over encrypted, non-SSL connections (using ADSI Edit or Ldp.exe). To establish an SSL connection to AD LDS, you must install certificates on the computer running AD LDS and on all the clients. To make SSL connections to an AD LDS instance, you must use Ldp.exe; ADSI Edit does not support SSL connections.

By default, an AD LDS instance automatically enforces any local or domain password policies that exist. If you create a new AD LDS user, and if you assign a password to that user that does not meet the requirements of the password policy that is in effect, the user will be disabled.

By default, AD LDS supports and enforces the password policy settings and account lockout settings that are provided by Windows Server 2008, including the following:

Minimum age

Maximum age

Complexity

History

Too many failed logon attempts

Disabling and enabling of accounts

If the server on which AD LDS is running belongs to a workgroup, the server's local password policy settings and account lockout settings are implemented. If the server on which AD LDS is running belongs to a domain, the password policy settings and account lockout settings from Active Directory Domain Services (AD DS) are implemented.

Membership in the Administrators group of the AD LDS instance is the minimum required to complete this procedure. By default, the security principal that you specify as the AD LDS administrator during AD LDS setup becomes a member of the Administrators group in the configuration partition. For more information about AD LDS groups, see Understanding AD LDS Users and Groups.

Setting or modifying the password of an AD LDS user

  • Using ADSI Edit

  • Using Ldp over an encrypted, non-SSL connection

  • Using Ldp over an SSL connection

Using ADSI Edit

To set or modify the password of an AD LDS user using ADSI Edit

  1. Open ADSI Edit.

  2. Connect and bind to the directory partition containing the AD LDS user for whom you want to set or modify the password. For more information, see Use ADSI Edit to Manage an AD LDS Instance.

  3. Browse to the directory object representing the AD LDS user, and then right-click the directory object.

  4. Click Reset password, and then type a password for the user in New password and in Confirm password.

Additional considerations

  • To open ADSI Edit, on a computer with the AD LDS server role installed, click Start, click Administrative Tools, and then click ADSI Edit.

Using Ldp over an encrypted, non-SSL connection

To set or modify the password of an AD LDS user using Ldp over an encrypted, non-SSL connection

  1. Open Ldp.

  2. On the Options menu, click Connection Options.

  3. In Option Name, click LDAP_OPT_ENCRYPT.

  4. In Value, type 1, click Set, and then click Close.

  5. Connect and bind to the AD LDS instance, and then view the directory partition that contains the AD LDS user for whom you want to set a password. For more information, see Use Ldp.exe to Manage an AD LDS Instance.

  6. Right-click the AD LDS user, and then click Modify.

  7. In Attribute, type userpassword, and then, in Value, type a password for the account.

  8. Click Enter, and then click Run. The details pane displays a message similar to the following:

    ***Call Modify...
    ldap_modify_s(ld, 'CN=Mary Baker,O=Microsoft,C=US',[1] attrs);
    Modified "CN=Mary Baker,O=Microsoft,C=US".
    

Additional considerations

  • To open Ldp, click Start, click Run, type ldp, and then click OK.

  • You can also use ADSI Edit to set or modify passwords: right-click the directory object that represents the AD LDS security principal in ADSI Edit, and then click Reset Password.

  • By default, an AD LDS instance running on Windows Server 2008 automatically enforces any local or domain password policies. If you set a password for an AD LDS user that does not meet the requirements of the password policy in effect, the user account will be disabled.

  • The AD LDS user for whom you set or modify the password must use the new password the next time that the user logs on.

  • This procedure applies to any object class that is used as a security principal in AD LDS. Any object class in AD LDS can be used as a security principal, as long as the object class definition contains the msDS-bindableobject auxiliary class and the unicodePwd attribute.

  • The user, person, inetOrgPerson, and OrganizationalPerson object classes are not available by default in the AD LDS schema. You must first import them.

Using Ldp over an SSL connection

To set or modify the password of an AD LDS user using Ldp over an SSL connection

  1. Install a server certificate on the computer where the AD LDS instance is running, and install a matching client certificate on the computer from which you administer the AD LDS instance.

  2. Open Ldp.

  3. Connect and bind to the AD LDS instance (select SSL in the Connect dialog box) containing the user for whom you want to set or modify a password. For more information, see Use Ldp.exe to Manage an AD LDS Instance.

  4. Right-click the AD LDS user, and then click Modify.

  5. In Attribute, type userpassword, and then in Value, type a password for the account.

  6. Click Enter, and then click Run. The details pane displays a message similar to the following:

    ***Call Modify...
    ldap_modify_s(ld, 'CN=Mary Baker,OU=Beta
    users,O=Microsoft,C=US',[1] attrs);
    Modified "CN=Mary Baker,OU=Beta users,O=Microsoft,C=US".
    

Additional considerations

  • To open Ldp, click Start, click Run, in Open type ldp, and then click OK.

  • Establishing SSL connections requires the presence of certificates on the server and clients.

  • By default, an AD LDS instance running on Windows Server 2008 automatically enforces any local or domain password policies. If you set a password for an AD LDS user that does not meet the requirements of the password policy in effect, the user account will be disabled.

  • If the AD LDS user is currently logged on, that user must log off for the new password to take effect.

  • This procedure applies to any object class that is used as a security principal in AD LDS. Any object class in AD LDS can be used as a security principal, as long as the object class definition contains the SecurityPrincipal static auxiliary class and the unicodePwd attribute.

  • The user, person, inetOrgPerson, and OrganizationalPerson object classes are not available by default in the AD LDS schema. You must import them first. For more information, see Import the User Classes That Are Supplied with AD LDS.

Additional references