Why do I receive an error when I try to change an Active Directory Application Mode (ADAM) user's password?
August 14, 2005
A. By default, ADAM requires that you perform password operations over a secure channel. If you try to reset a password over a nonsecure channel (e.g., a default LDAP connection through ADSI Edit), you'll receive the error message: "Illegal modify operation. Some aspect of the modification is not permitted."
To resolve this problem, you should use an LDAP over Secure Sockets Layer (SSL) connection (which will require a certificate in place) or use the ldap_opt_encrypt option of ldp.exe to secure the connection. The ADAM Help file has information about these options under "Set or modify the password of an ADAM user" in the document's "How To" section.
If this password reset is for a test environment and not for a production system, you can disable the secure-channel requirement so that you can reset the password over a nonsecure LDAP connection via ADSI Edit. To disable the secure-channel requirement, perform these steps:
Start the ADAM ADSI Edit tool (%systemroot%ADAMADAM-adsiedit.msc).
Right-click the root of the "ADAM ADSI Edit" navigation branch in the left hand pane of the Microsoft Management Console (MMC) and select "Connection to..."
Under the Connection name, enter "Configuration partition." Enter the server name and port. If you're running ADSI Edit on the ADAM server, the server name can be localhost and the port is the value set during installation (typically 389). Under "Connect to the following node," click "Well-known naming context:" and select Configuration, as the figure shows. Click OK.
Navigate to CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,CN={GUID of the ADAM}.
Right-click "CN=Directory Service" and select Properties.
Double-click the dSHeuristics attribute.
Set the value to 0000000001001 and click OK, as the figure shows.
Click OK to the CN=Directory Service properties box.
You can now reset passwords over nonsecure channels; however, if this system's role changes so that it holds useful or sensitive data, you should disable the nonsecure channel ability and use one of the options specified earlier.
About the Author
You May Also Like