Active Directory users unable to change passwords

Similar Messages

• Users Unable to Change Password

  Small Business 2011 Standard with Windows 7 Pro workstations - all fully updated.
  We have an issue where none of the users can change their passwords. They receive a message saying that the password
  doesn't meet the length, complexity or history requirements of the domain.
  I know (at least in my case) that the password hasn't been used before and there is no problem with the length
  and complexity. I've even tried switching off the password policies in the SBS Console with no success.
  Apart from the SBS Console is there anywhere else I should be looking that has a higher priority than the console?
  TIA

  We are using SBS 2008 (SP2), and we too are having this problem. Have done all the necessary GP changes. Have done gpupdate /force. As test user, I seem to be unable to change password at all (originally "minimum age" was 1 day, if that is somehow
  still in force might explain why); my end user has waited longer than that, she reports she can change her password but never back to anything in her history (original default was, I think, 24 passwords, might explain).
  While rsop on domain and clients/rdc  shows:
  Policy Policy Setting
  Enforce password history 0 passwords remembered
  Maximum password age 42 days
  Minimum password age 0 days
  Minimum password length 0 characters
  Password must meet complexity requirements Disabled
  Store passwords using reversible encryption Disabled
  Anybody any ideas now??? :(
  EDIT: Hmmm, net accounts /domain gives me:
  Force user logoff how long after time expires?: Never
  Minimum password age (days): 2
  Maximum password age (days): Unlimited
  Minimum password length: 0
  Length of password history maintained: 24
  Lockout threshold: 50
  Lockout duration (minutes): 10
  Lockout observation window (minutes): 10
  Computer role: PRIMARY
  The command completed successfully.
  Those settings would explain my problem, then!
  I can see that net accounts will allow me to alter this stuff, from the command-line, I guess that is what I need to do?
  NET ACCOUNTS
  [/FORCELOGOFF:{minutes | NO}]
  [/MINPWLEN:length]             
  [/MAXPWAGE:{days | UNLIMITED}]
  [/MINPWAGE:days]
  [/UNIQUEPW:number]
  [/DOMAIN]

• Windows 2008 R2 Active Directory User can not change their password

  Our AD domain already having two domain controllers with windows 2008 (not R2),  last week we added one more domain controler with windows 2008 R2 for that we run domain prep and forestprep. After this domain no  users can change their password by pressing ALT+CTRL+Del--Change password. Administrators can still reset the password, and if administrator provide the option change password and at next logon, it works, users can reset the password. But after login they can not.
  The error telling the new password does not meet length,complexity, history requirements. We are sure their is no Group policy which setting password/account policy. And even we tried to attach a simple password policy domain level with out complexity.
  Please provide a feedback..waiting for your response.
  Thanks

  additional info: up to Server 2008 R2, Windows ONLY supports ONE Password policy PER Domain. (exept: the R2 supports more pw-policies, but not with gpo, it has to be congifured with ADSI-Editor)
  So, in case you still use the 2008 / R2 - you Need to know that ;))
  regard..
  Stephan Ertel - MCITP/MCSA -
  From Windows 2008(Non R2) and higher is supported for more than one password policy with fine granted password polcy.DFL should be 2008.
  HTH
  Biswajit Biswas
  My
  Blogs|MCC
  |
  TNWiki
  Ninja  
  Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin

• Users unable to change password via system pref's 10.4.10

  I am running 1 OD Master and 3 OD Replica's, all servers running 10.4.10, clients running 10.2.8, 10.39 and 10.4.10. All network users can log in with no problems at all, however if a user needs to change their password in System Preferences in 10.4.10, they are unable to do so. The old password field keeps saying "incorrect password" though the password is indeed correct. I have no problems changing any users password on the 10.2.8 and 10.3.9 machines using System Preferences. Any ideas??

  I'm working through a problem right now where my users were having problems changing their passwords. I'm using network user accounts. I had a password policy configured on the server where users were allowed to change their passwords, and the password had to be changed every 90 days.
  Well, the time came when it was time to change the passwords and users were prompted to do so and did. However, afterwards they started receiving Kerberos password prompts, and it wouldn't take their new password. Restarting didn't help either. If I reset the password on the server, the user could login and things would be fine until they tried to change the password in Sys Prefs : Accounts and the problem would repeat itself.
  So far, the solution seems to be disabling the password policies in the Open Directory service in Server Admin. I'm going back on-site tomorrow to see what I can find out. You might want to give that a shot.

• Open Directory users prompted to change password after 10.8 to 10.9 server upgrade

  I just upgraded our 10.8.5 server to 10.9.3. I also upgraded Server.app to the most recent version (3.1.2). I made a complete backup first as a precaution.
  Existing non-admin users are being prompted to change their password when logging in. I've narrowed the problem down to a checkbox in the "Global Password Policy" settings in Server.app, specifically this checkbox: "Passwords must: be reset on first user login". I had that box checked in 10.8 so that new users would be prompted to create a password the first time they logged into a bound computer. It worked great and I'd like to continue using this feature in 10.9.
  If I uncheck this box in Server.app in 10.9.3, existing users can log in just fine with their existing passwords. If I re-check the box, non-admin users are suddenly prompted to change their password when logging in, even though they've logged in countless times in the past.
  Here are some things I've tried:
  * stopping and restarting the Open Directory service in Server.app
  * restarting the server
  * disabling and re-enabling an existing user account
  * inspecting user records in Directory Utility for any peculiar attributes
  * I used the mkpassdb -dump command to verify that the correct "last login time" is present for a particular user, but I'm not enough of an Open Directory expert to know if this is the attribute that the Global Password Policy relies on.
  Does anyone have any other ideas or suggestions?

  UPDATE: It looks like this issue applies to new (post-upgrade) accounts, too, suggesting that this has nothing to do with the upgrade process. Can anyone confirm this behavior? It's easy to test:
  1) Make sure the "Passwords must: be reset on first user login" box is unchecked.
  2) Create a new user in Open Directory.
  3) Log in once. No problem.
  4) Now check the "Passwords must: be reset on first user login" box.
  5) Try to log in again. Were you prompted to change your password? Logically, you shouldn't have been prompted, but users on my server are being prompted.

• Building a Basic Runbook to disable a Active Directory User who has not logged in for 90 days.

  I am new to Orchestrator.  I am using Orchestrator 2012 R2 on a Hyper-V running Server 2008.  I have been trying to set up a Runbook to sweep AD for user accounts that have not logged in for 90 days and have those accounts automatically disabled
  and moved to another OU.  However, I would be happy just to have the account just be disabled.  If you need any more info or I have posted in the wrong forum, please let me know.  
  Thanks

  Hi,
  there is no SCO Activity to do this.
  Problem with this is, the LastLogedOn Times are not synced between DomainControllers.
  Best will be you take a look at this PowerShell Script
  http://gallery.technet.microsoft.com/scriptcenter/Get-Active-Directory-User-bbcdd771
  and change it to your needs
  Seidl Michael | http://www.techguy.at |
  twitter.com/techguyat | facebook.com/techguyat

• Active Directory user passwords on mobile account with File Vault

  Hi all,
  I enabled file vault when I moved to my MacBook Pro. I joined the computer to the domain (after enabling file vault), and logged in with my domain account, creating a managed, mobile account so that I could use the computer when not connected to the domain.
  Active Directory has forced a change in my password for the domain account but I cannot get the password on the Mac to change the password and sync with the domain.
  My account (the one with the changed network password) on the Mac is a standard user account. When I open system preferences, go to Security & Preferences, General, click on the lock to unlock and allow change and then click Change Password  ..., I receive the following error message after going through the steps to change the password:
  The password for the account "user" was not changed. There was a problem with your password. It's possible your system administrator doesn't allow you to change your password. Contact your system administrator for help.
  For Old Password, I used the old network password, the one that I use to log into the Mac. For New Password, I used my new, current password.
  The same result happens when I attempt to change the password from the Users & Groups section of the System Preferences.
  I have logged out and logged in with the user account that is identified as the admin and get a similar (same ?) error when attempting to change the password.
  Any suggestions? How do I get the passwords to be one so that I can forget the old password?

  Thanks for your insights.
  The Tech Tool report happened after AppleJack, and never showed up before that. Restarting again just now, it showed up again.
  I had not emptied the trash, but did now, and the 'get info' on my hard drive still shows that I have used nearly all of my 160 GB.
  Re Disk Warrior: I do have it and just ran it. I emptied trash again and checked to see available disk space: I have 2.47 GB, so the problem still exists.
  Here is the disk warrior report for the first part of its tests:
  DiskWarrior has successfully built a new optimized directory for the disk named "Hildegarde." The new directory is
  ready to replace the original directory.
  There is not enough contiguous free space for a fail-safe replacement of the directory. It is highly recommended that
  you create 204 MB of contiguous free space before replacing the original directory.
  All file and folder data was easily located.
  Comparison of the original and replacement directories indicates that there will be changes to the number, the
  contents and/or the attributes of the files and folders. It is recommended that you preview the replacement
  directory and examine the items listed below. All files and folders were compared and a total of 14,627,488
  comparison tests were performed.
  • Errors, if any, in the directory structure such as tree depth, header node, map nodes, node size, node counts, node
  links, indexes and more have been repaired.
  • 1 folder had a directory entry with an incorrect custom icon flag that was repaired.
  Disk Information:
  Files: 552,652
  Folders: 131,014
  Free Space: 2.47 GB
  Format: Mac OS Extended
  Block Size: 4 K
  Disk Sectors: 321,410,736
  Media: HDT722516DLAT80
  Time: 11/28/08 6:54:19 PM
  DiskWarrior Version: 4.1

• I am unable to change passwords for any users.  The "change password" is grayed out.

  I am unable to change passwords for any users.  The "change password" is grayed out.  I know there is a way to change them but I am having trouble finding it.
  Message was edited by: dmw1975

  If you're in the Users pane of the server app, and you select Network Users from the drop-down near the top, there's a small padlock icon at the bottom. Is it locked or open? If locked, click it and enter credentials into the authorisation box that opens

• Unable to login @ login window with Active Directory User

  I successfully bound my test machine to Active Directory and can search using dscl and id. I can also su to my active directory user account an authenticate perfectly. All search bases are correct and everything else looks fine.
  When I attempt to login from the login window as an AD user, the window shakes. Clicking under Mac OS X shows that "Network Accounts Available". Looks like the CLI tool "dirt" is now gone as well, although insecure it would possibly show something here.
  Anyone else having issues after binding to AD? I bound using the Directory Utility gui... I have not tried using my leopard bind script yet.
  Thanks,
  Ken

  I have pretty well the same problem. The machine was already bound to AD prior to upgrade. After could not login on with my account (jball). Can log on with other accounts from the same domain (we only have one AD domain). Can also su to jball in a terminal session. Can't access network resources with jball when I try to connect to a windows server through the finder, instantly comes up with bad username or password, doesn't even think about it.
  I have removed any copies of the home folder under either /Users or /Domain as I have had problems with that before. Have repaired permissions and unbind and bind the machine to AD. Have been at this all day now and no closer. Get these error messages in console:
  31/08/09 4:49:27 PM SecurityAgent[666] Could not get the user record for 'jball@domainname' from Directory Services
  31/08/09 4:49:27 PM SecurityAgent[666] User info context values set for jball@domainname
  31/08/09 4:49:27 PM SecurityAgent[666] unknown-user (jball@domainname) login attempt PASSED for auditing

• SMB access for Active Directory users

  Hi there,
  My server is an OD Master bound to AD for authentication and my institution's Kerberos realm.
  When I try to share files from the server via SMB and connect as an Active Directory user I get the following error in the logs:
  [2009/06/11 12:02:27, 1, pid=5308] /SourceCache/samba/samba-187.8/samba/source/libads/kerberosverify.c:ads_verifyticket(428)
  adsverifyticket: smbkrb5_parse_name(myserver$) failed (Configuration file does not specify default realm)
  [2009/06/11 12:02:27, 1, pid=5308] /SourceCache/samba/samba-187.8/samba/source/smbd/sesssetup.c:replyspnegokerberos(340)
  Failed to verify incoming ticket with error NTSTATUS_LOGONFAILURE!
  I've read something vague about having to Kerberize the SMB service seperately so I'm not sure if that's the problem.
  My smb.conf file is as follows:
  ; Configuration file for the Samba software suite.
  ; ============================================================================
  ; For the format of this file and comprehensive descriptions of all the
  ; configuration option, please refer to the man page for smb.conf(5).
  ; The following configuration should suit most systems for basic usage and
  ; initial testing. It gives all clients access to their home directories and
  ; allows access to all printers specified in /etc/printcap.
  ; BEGIN required configuration
  ; Parameters inside the required configuration block should not be altered.
  ; They may be changed at any time by upgrades or other automated processes.
  ; Site-specific customizations will only be preserved if they are done
  ; outside this block. If you choose to make customizations, it is your
  ; own responsibility to verify that they work correctly with the supported
  ; configuration tools.
  [global]
  debug pid = yes
  log level = 1
  server string = Mac OS X
  printcap name = cups
  printing = cups
  encrypt passwords = yes
  use spnego = yes
  passdb backend = odsam
  idmap domains = default
  idmap config default: default = yes
  idmap config default: backend = odsam
  idmap alloc backend = odsam
  idmap negative cache time = 5
  map to guest = Bad User
  guest account = nobody
  unix charset = UTF-8-MAC
  display charset = UTF-8-MAC
  dos charset = 437
  vfs objects = darwinacl,darwin_streams
  ; Don't become a master browser unless absolutely necessary.
  os level = 2
  domain master = no
  ; For performance reasons, set the transmit buffer size
  ; to the maximum and enable sendfile support.
  max xmit = 131072
  use sendfile = yes
  ; The darwin_streams module gives us named streams support.
  stream support = yes
  ea support = yes
  ; Enable locking coherency with AFP.
  darwin_streams:brlm = yes
  ; Core files are invariably disabled system-wide, but attempting to
  ; dump core will trigger a crash report, so we still want to try.
  enable core files = yes
  ; Configure usershares for use by the synchronize-shares tool.
  usershare max shares = 1000
  usershare path = /var/samba/shares
  usershare owner only = no
  usershare allow guests = yes
  usershare allow full config = yes
  ; Filter inaccessible shares from the browse list.
  com.apple:filter shares by access = yes
  ; Check in with PAM to enforce SACL access policy.
  obey pam restrictions = yes
  ; Don't be trying to enforce ACLs in userspace.
  acl check permissions = no
  ; Make sure that we resolve unqualified names as NetBIOS before DNS.
  name resolve order = lmhosts wins bcast host
  ; Pull in system-wide preference settings. These are managed by
  ; synchronize-preferences tool.
  include = /var/db/smb.conf
  [printers]
  comment = All Printers
  path = /tmp
  printable = yes
  guest ok = no
  create mode = 0700
  writeable = no
  browseable = no
  ; Site-specific parameters can be added below this comment.
  ; END required configuration.
  Any help would be much appreciated!!
  Thanks.

  I am now having the same problem - a Windows server trying to access a file share on the Mac Server is presented with the same error message in the log files:
  [2009/06/29 21:34:56, 2, pid=485] /SourceCache/samba/samba-187.8/samba/source/smbd/sesssetup.c:setupnew_vcsession(1260)
  setupnew_vcsession: New VC == 0, if NT4.x compatible we would close all old resources.
  [2009/06/29 21:34:56, 1, pid=485] /SourceCache/samba/samba-187.8/samba/source/libads/kerberosverify.c:ads_verifyticket(428)
  adsverifyticket: smbkrb5_parsename(vifile$) failed (Configuration file does not specify default realm)
  [2009/06/29 21:34:56, 1, pid=485] /SourceCache/samba/samba-187.8/samba/source/smbd/sesssetup.c:replyspnegokerberos(340)
  Failed to verify incoming ticket with error NTSTATUS_LOGONFAILURE!
  Workgroup manager can read from Active Directory - seems to be jiving correctly - my server (SMB) is in Domain Member mode...
  When I try to access system from \\UNC command, I am presented with username/password prompt and nothing works.
  Not feeling the Mac OS X love tonight.
  Bill
  System is bound to active directory - green light in Directory Utility

• Creating active directory users with dscl

  Our mac workstations (OSX 10.8) are bound to a 2008 Active Directory server.  We are attempting to use some existing dscl scripts on the mac client computer to create Active directory users.  We can successfully read and change AD attributes of an existing user with dscl, but creating new users or new attributes for an existing user gives us an error.  Here are some examples.
  SUCCESSFUL READ OF AD USER ATTRIBUTE:
  root# dscl -u administrator  "/Active Directory/CXAD/All Domains" -read /Users/jholmes SMBHomeDrive
  Password:
  SMBHomeDrive: H:
  root#
  SUCCESSFUL DELETE OF ABOVE USER ATTRIBUTE
  root# dscl -u administrator  "/Active Directory/CXAD/All Domains" -delete /Users/jholmes SMBHomeDrive
  Password:
  root#
  FAILED ATTEMPT AT RE-CREATING THE DELETED ATTRIBUTE
  root# dscl -u administrator "/Active Directory/CXAD/All Domains" -create /Users/jholmes SMBHomeDrive
  Password:
  <main> attribute status: eDSInvalidRecordType
  <dscl_cmd> DS Error: -14130 (eDSInvalidRecordType)
  root#
  The same error occurs when attempting to create a new user.  Any ideas?  Thanks in advance for any suggestions.

  In the end I could not find them; account info is ONLY stored locally in Open Directory when they have mobile accounts.
  However, I found I could migrate their user directories in Terminal via ditto ( I connected the old macs via Firewire Target mode) , and when they log in all their stuff and settings are there.
  the command is: ditto /Volumes/<old mac hard drive>/Users/<username> /Users/<username>

• How to display active directory users through weblogic portal Application?

  Hi,
  Does anyone has faced this situation?
  I configured the activedirectory and able to see the users and group in the weblogic console at Security->Realms->Myrealm->users. when I run my portal application,I am able to see only the users that are configured in embedded weblogic LDAP ie, I can see only the users weblogic,portaladmin and yahooadmin that are of defaultauthenticator provider.I need to display the active directory users also in our portal.
  I have two doubts on this?
  1)Is it I need to write custom code to view the active directory users in our portal?
  2)Does I need to use any jars that supports active directory authenticator?
  I would appreciate if any one can reply on this with helpfull docs/information.
  We are using BEA 8.1 SP4.
  Windows 2000.
  Surendra

  Hi,
  I too have a similar kind of requirement, i use a jsp to do this activity, but i get an exception, i have shown the entire jsp code below,
  <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
  <%@ page import="java.util.Set" %>
  <%@ page import="javax.naming.Context" %>
  <%@ page import="weblogic.jndi.Environment" %>
  <%@ page import="weblogic.management.MBeanHome" %>
  <%@ page import="weblogic.management.configuration.DomainMBean" %>
  <%@ page import="weblogic.management.configuration.SecurityConfigurationMBean" %>
  <%@ page import="weblogic.management.security.RealmMBean" %>
  <%@ page import="weblogic.management.security.authentication.AuthenticationProviderMBean" %>
  <%@ page import="weblogic.management.security.authentication.UserPasswordEditorMBean" %>
  <%@ page import="weblogic.security.providers.authentication.LDAPAuthenticatorMBean" %>
  <%@ page import="weblogic.management.configuration.EmbeddedLDAPMBean" %>
  <%@ page import="weblogic.management.security.authentication.UserEditorMBean" %>
  <%@ page import="weblogic.management.security.authentication.UserReaderMBean" %>
  <%@ page import="weblogic.management.security.authentication.GroupReaderMBean" %>
  <%@ page import="weblogic.management.utils.ListerMBean" %>
  <%@ page import="javax.management.MBeanException" %>
  <%@ page import="javax.management.modelmbean.RequiredModelMBean" %>
  <%@ page import="examples.security.providers.authentication.manageable.*" %>
  <%@ page import="weblogic.security.providers.authentication.ActiveDirectoryAuthenticatorMBean" %>
  <%@ page import="weblogic.management.utils.InvalidParameterException" %>
  <%@ page import="weblogic.management.utils.NotFoundException" %>
  <%@ page import="weblogic.security.SimpleCallbackHandler" %>
  <%@ page import="weblogic.servlet.security.ServletAuthentication"%>
  <%!
  private String makeErrorURL(HttpServletResponse response,
  String message)
  return response.encodeRedirectURL("welcome.jsp?errormsg=" + message);
  %>
  <html>
  <head>
  <title>Password Changed</title>
  </head>
  <body>
  <h1>Password Changed</h1>
  <%
  // Note that even though we are running as a privileged user,
  // response.getRemoteUser() still returns the user who authenticated.
  // weblogic.security.Security.getCurrentUser() will return the
  // run-as user.
  System.out.println("------------------------------------------------------------------");
  String username = request.getRemoteUser();
  System.out.println("User name -->"+username);
  // Get the arguments
  String currentpassword = request.getParameter("currentpassword");
  System.out.println("Current password -->"+currentpassword);
  String newpassword = request.getParameter("newpassword");
  System.out.println("New password -->"+newpassword);
  String confirmpassword = request.getParameter("confirmpassword");
  System.out.println("Confirm password -->"+confirmpassword);
  // Validate the arguments
  if (currentpassword == null || currentpassword.length() == 0 ||
  newpassword == null || newpassword.length() == 0 ||
  confirmpassword == null || confirmpassword.length() == 0) { 
  response.sendRedirect(makeErrorURL(response, "Password must not be null."));
  return;
  if (!newpassword.equals(confirmpassword)) {
  response.sendRedirect(makeErrorURL(response, "New passwords did not match."));
  return;
  if (username == null || username.length() == 0) {
  response.sendRedirect(makeErrorURL(response, "Username must not be null."));
  return;
  // First get the MBeanHome
  String url = request.getScheme() + "://" +
  request.getServerName() + ":" +
  request.getServerPort();
  System.out.println("URL -->"+url);
  Environment env = new Environment();
  env.setProviderUrl(url);
  Context ctx = env.getInitialContext();
  MBeanHome mbeanHome = (MBeanHome) ctx.lookup(MBeanHome.LOCAL_JNDI_NAME);
  System.out.println("MBean home obtained....");
  DomainMBean domain = mbeanHome.getActiveDomain();
  SecurityConfigurationMBean secConf = domain.getSecurityConfiguration();
  // Sar
  EmbeddedLDAPMBean eldapBean = domain.getEmbeddedLDAP();
  System.out.println("Embedded LDAP Bean obtained...."+eldapBean );
  RealmMBean realm = secConf.findDefaultRealm();
  System.out.println("RealmMBean obtained....");
  AuthenticationProviderMBean authenticators[] = realm.getAuthenticationProviders();
  System.out.println("AuthProvMBean obtained....");
  // Now get the UserPasswordEditorMBean
  // This code will work with any configuration that has a
  // UserPasswordEditorMBean.
  // The default authenticator implements these interfaces
  // but other providers could work as well.
  // We try each one looking for the provider that knows about
  // this user.
  boolean changed=false;
  UserPasswordEditorMBean passwordEditorMBean = null;
  System.out.println("UserPwdEdtMBean obtained....");
  //System.out.println("Creating MSAI....");
  //ManageableSampleAuthenticatorImpl msai =
  // new ManageableSampleAuthenticatorImpl(new RequiredModelMBean());
  //System.out.println("Done....");
  for (int i=0; i<authenticators.length; i++) {
  System.out.println("### Authenticator --->"+authenticators);
  if (authenticators[i] instanceof ActiveDirectoryAuthenticatorMBean)
  ActiveDirectoryAuthenticatorMBean adamb =
  (ActiveDirectoryAuthenticatorMBean)authenticators[i];
  System.out.println("### ActiveDirectoryAuthenticatorMBean .....");
  String listers = adamb.listUsers("*",0);
  while(adamb.haveCurrent(listers))
  System.out.println("### ActiveDirectoryAuthenticatorMBean user advancement.....");
  adamb.advance(listers);
  if (authenticators[i] instanceof UserPasswordEditorMBean) {
  passwordEditorMBean = (UserPasswordEditorMBean) authenticators[i];
  System.out.println("Auth match ...."+passwordEditorMBean);
  try {
  // Now we change the password
  // Sar comment
  System.out.println("Password changed....");
  //passwordEditorMBean.changeUserPassword(username,
  // currentpassword, newpassword);
  changed=true;
  // Sar Comment
  catch (InvalidParameterException e) {
  response.sendRedirect(makeErrorURL(response, "Caught exception " + e));
  return;
  catch (NotFoundException e) {
  catch (Exception e) {
  response.sendRedirect(makeErrorURL(response, "Caught exception " + e));
  return;
  // Sar code
  LDAPAuthenticatorMBean ldapBean = null;
  UserReaderMBean urMBean = null;
  UserEditorMBean ueMBean = null;
  GroupReaderMBean gMBean = null;
  //ListerMBean lBean = null;
  try
  if (authenticators[i] instanceof LDAPAuthenticatorMBean)
  ldapBean = (LDAPAuthenticatorMBean) authenticators[i];
  String userFilter = ldapBean.getAllUsersFilter();
  System.out.println("userFilter ="+userFilter);
  if (authenticators[i] instanceof UserEditorMBean)
  try
  System.out.println("UserEditorMBean...");
  ueMBean = (UserEditorMBean) authenticators[i];
  System.out.println("List users..."+ueMBean);
  boolean b = ueMBean.userExists("webuser");
  System.out.println("User Exists->>>"+b);
  String cursor = ueMBean.listUsers("webuser", 2);
  System.out.println("List User ----->"+cursor);
  catch(InvalidParameterException e)
  response.sendRedirect(makeErrorURL(response, "ERROR InvalidParameterException:" + e));
  catch(java.lang.reflect.UndeclaredThrowableException e)
  response.sendRedirect(makeErrorURL(response, "ERROR UndeclaredThrowableException :" + e));
  e.printStackTrace();
  catch(Exception e)
  response.sendRedirect(makeErrorURL(response, "ERROR LBean:" + e));
  catch(Exception ex)
  ex.printStackTrace();
  response.sendRedirect(makeErrorURL(response, "ERROR:" + ex));
  return;
  if (passwordEditorMBean == null) {
  response.sendRedirect(makeErrorURL(response, "Internal error: Can't get UserPasswordEditorMBean."));
  return;
  System.out.println("pwd changed ->"+changed);
  if (!changed) {
  // This happens when the current user is not known to any providers
  // that implement UserPasswordEditorMBean
  response.sendRedirect(makeErrorURL(response,
  "No password editors know about user " + username + "."));
  return;
  %>
  User <%= username %>'s password has been changed!
  <br>
  <br>
  </body>
  </html>
  Here is the console log
  User name -->webuser
  Current password -->i
  New password -->u
  Confirm password -->u
  URL -->http://localhost:7011
  MBean home obtained....
  Embedded LDAP Bean obtained....[Caching Stub]Proxy for mydomain:Name=mydomain,Type=EmbeddedLDAP
  RealmMBean obtained....
  AuthProvMBean obtained....
  UserPwdEdtMBean obtained....
  ### Authenticator --->Security:Name=myrealmDefaultAuthenticator
  Auth match ....Security:Name=myrealmDefaultAuthenticator
  Password changed....
  UserEditorMBean...
  List users...Security:Name=myrealmDefaultAuthenticator
  User Exists->>>true
  java.lang.reflect.UndeclaredThrowableException
  at $Proxy1.listUsers(Unknown Source)
  at jsp_servlet.__updatepassword._jspService(__updatepassword.java:411)
  at weblogic.servlet.jsp.JspBase.service(JspBase.java:33)
  at weblogic.servlet.internal.ServletStubImpl$ServletInvocationAction.run(ServletStubImpl.jav
  a:1006)
  at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:419)
  at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:463)
  at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:315)
  at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletC
  ontext.java:6718)
  at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
  at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
  at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:37
  64)
  at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2644)
  at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)
  Caused by: javax.management.MBeanException
  at weblogic.management.commo.CommoModelMBean.invoke(CommoModelMBean.java:551)
  at com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1560)
  at com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1528)
  at weblogic.management.internal.RemoteMBeanServerImpl.private_invoke(RemoteMBeanServerImpl.j
  ava:988)
  at weblogic.management.internal.RemoteMBeanServerImpl.invoke(RemoteMBeanServerImpl.java:946)
  at weblogic.management.commo.CommoProxy.invoke(CommoProxy.java:365)
  ... 14 more
  ### Authenticator --->Security:Name=myrealmDefaultIdentityAsserter
  pwd changed ->true
  Can u pls let me know how to get all the entries from LDAP.
  Thanx
  Sar

• Number of days before user needs to change password

  If I enter a value for "Number of days before user needs to change password" will that effect both user and supervisor accounts or just user accounts? I have a supervisor account that we use for a lot of processes and do not want it to expire. However, our corporate security policy is to have user passwords expire at least every 90 days. Has anyone faced this before?<BR><BR>Thanks,<BR><BR>Mburkett

  mburkett,<BR><BR>Version 7.X has the external authentication option. The integration with active directory is very easy and can be configured in a few minutes. However, if your Essbase user names are different than MSAD user names, you would have to replace all Essbase users with their domain ID in order to use external authentication. If the user names are the same, it is only a matter of changing the flag to use the external AD password, rather then the Essbase password. <BR><BR>If you are not using Hyperion HUB, you should install it prior to implementing External Authentication.<BR><BR>I don't know the details of your custom job scheduler, but if it is based on ESSCMD, I dont see why it would not continue to work with an upgraded version.<BR><BR>Good Luck,<BR><BR>Chris

• 10.7.4 Web Access for Active Directory Users

  Does anyone know how to permantly set the AuthType in Web Services to Basic ?
  The reason I ask is I have a web site I want to protect and allow active directory users access to it.
  I have added the users to a local group, added the group to the Who Can Access option.
  Local users can log in but not Active Directory.  If I edit the conf file for the site in /etc/apache2/sites and change the AuthType from Digist to Basic it works fine until I change something in the server app then the conf file gets rewritten.
  Dan

  I am now having the same problem - a Windows server trying to access a file share on the Mac Server is presented with the same error message in the log files:
  [2009/06/29 21:34:56, 2, pid=485] /SourceCache/samba/samba-187.8/samba/source/smbd/sesssetup.c:setupnew_vcsession(1260)
  setupnew_vcsession: New VC == 0, if NT4.x compatible we would close all old resources.
  [2009/06/29 21:34:56, 1, pid=485] /SourceCache/samba/samba-187.8/samba/source/libads/kerberosverify.c:ads_verifyticket(428)
  adsverifyticket: smbkrb5_parsename(vifile$) failed (Configuration file does not specify default realm)
  [2009/06/29 21:34:56, 1, pid=485] /SourceCache/samba/samba-187.8/samba/source/smbd/sesssetup.c:replyspnegokerberos(340)
  Failed to verify incoming ticket with error NTSTATUS_LOGONFAILURE!
  Workgroup manager can read from Active Directory - seems to be jiving correctly - my server (SMB) is in Domain Member mode...
  When I try to access system from \\UNC command, I am presented with username/password prompt and nothing works.
  Not feeling the Mac OS X love tonight.
  Bill
  System is bound to active directory - green light in Directory Utility

• What do I need to do to enable Active Directory users to authenticate to AFP shares in 10.8 server?

  We recently upgraded from 10.6 server to 10.8 server and are having trouble with AFP shares and Active Directory.  We have shares on each of our OS X servers that should be mountable by any Active Directory user at the site the server resides.  In 10.6, this worked beautifully.  Simply adding the appropriate AD groups with appropriate permissions to the ACL of the folder(s) being shared worked without a hitch.  In 10.8 server, this is not working.  Permissions are defined correctly (as far as I can tell), the server is bound to AD, but yet no AD user who should have access can mount the share.  When attempting to mount the share on a 10.6 client, the user gets the short and simple "You entered an invalid username or password.  Please try again."  On a 10.7 client, the window shakes. 
  What confuses me even more is that no local users can mount the share as well.  I try as our admin account, I receive the following error message on our 10.6 clients:
  Actually, as I was forumulating this post, logging in as the server administrator account is now working...???!!!
  This was the error message we were receiving on 10.7 clients before it magically started working:
  In any case, authenticating as an AD user is still no go.  Any ideas?

  I had something similar to this. In the name field put in DOMAIN\username rather than just the name.