Use CFLDAP to Add user onto Active Directory

[nitrog7]

How do you change a password? What I found out so far was that the password
must be:
- enclosed in quotes
- converted to unicode then base64
- run cfldap with SSL (port 636)
- Watch for the security limitations such as min characters, case sensitivity
and mixing letters and numbers.
- used with the attribute "unicodePWD"

My question is what functions to use to convert it to unicode.

Thanks,
-Giraldo

[Jeff999]

I am attempting to use CFLDAP to add users to Active Directory. So far, I have
been successful with adding them, but I believe the password is blank upon
creation. Has anyone had any luck adding a user w/ an assigned password?
Thanks!

[J.C.]

I've had success changing network passwords using the following code. Keep in
mind, my server is logged in using an account that has administrative rights in
order for this to work. Some will also disable the cfexecute tag, which needs
to be enabled.

<cfexecute name="NET USER" arguments="#ARGUMENTS.SAMACCOUNTNAME#
#ARGUMENTS.PASSWORD# /domain"></cfexecute>

[Okis14]

Has anyone been able to find out how to add a user?s password or modify it?

I've been building an application to do this and the password attribute has
put me to a stop.


I believe I found out what is needed for the USERACCOUNTCONTROL attribute.

Using Windows 2003 and adding an account I had to set the USERACCOUNTCONTROL
to 544 (enabled) or 546 (disabled). 514 would work but the Account is
disabled. When I use 512 the web page would break.

When looking in a AD using dsa.msc (Active Directory Users and Computers MMC)
if you add the Additional Account Information tab (included in the 2003
resource kit) you can see the USERACCOUNTCONTROL with a decode button next to
it. If you hit that button it will tell you that 512 = Normal user, 514 =
Disabled and Normal User, 544 = Password Not Required and Normal User and 546 =
Password Not Required, Normal User and Disabled.

When using 544 the account is created and I can log in with a blank password
regardless of the Domain password requirements. 546 is the same however the
account is disabled.

When I use 514 the account will be created however I can not enable it either
through Cold Fusion or through dsa.msc. When trying to enable it using dsa.msc
Windows will give an error saying that the password doesn't meet the
requirements. This is due to the password being blank.

When I use 512 my page will not work. I get a "Will not perform" error and
something about a missing attribute. I believe it is the userpassword
attribute not being sent correctly because 512 is using the password
requirements and yes when I manually put in the password using dsa.msc the
password will take. When I send the userpassword attribute (using 514, 544 or
546), I can query for it and display it but when logging in with it, it will
not work. I still haven't tried all of nitrog7 ideas on what the password
should be.





I've been looking all over the net trying to find out how to reset a password
and this thread is the closest that I've come.
Right now I have a scheduled task to run a VB script to reset the password to
a random generated password. So if anyone has any ideas on how the syntax
should be to reset a password please share it.

[dmichailov]

Did any of you folks find a way to change the unicodePwd password value in
Active Directory from CFLDAP? I am running into lots of problems with it - we
have CFLDAP via SSL, binding with Account Operator account, but still getting a
"WILL_NOT_PERFORM" message from AD.

Can anyone help?

[Hot Programmer]

Sorry Guys, Microsofts Help Site Says Specifically that the UnicodePwd is readonly.