Change password in cm.properties?

Similar Messages

• How to change password for a user in WLS 7.0 embedded ldap in code?

  I asked the similar question before but don't have an answer yet.
  I need to change password for a user in my Java code. Any help will be
  appreciated.
  Here is my stack trace:
  c:\Test>java -classpath . testEmbeddedLdap
  attribute: uid
  attribute: description
  attribute: objectclass
  attribute: wlsMemberOf
  attribute: sn
  attribute: cn
  javax.naming.NoPermissionException: [LDAP: error code 50 - Insufficient
  Access Rights]; remaining name
  'uid=myRegularUser,ou=people,ou=myrealm,dc=mydomain'
  at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2872)
  at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2810)
  at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2616)
  at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1374)
  at
  com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDir
  Context.java:255)
  at
  com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(Partial
  CompositeDirContext.java:172)
  at
  com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(Partial
  CompositeDirContext.java:161)
  at
  javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.
  java:146)
  at testEmbeddedLdap.main(testEmbeddedLdap.java:30)
  Here is my testing code:
  <PRE>
  import java.util.*;
  import javax.naming.*;
  import javax.naming.directory.*;
  public class testEmbeddedLdap {
  public static void main(String[] argv) {
  Hashtable env = new Hashtable(11);
  env.put(Context.INITIAL_CONTEXT_FACTORY,
  "com.sun.jndi.ldap.LdapCtxFactory");
  env.put(Context.PROVIDER_URL, "ldap://localhost:7001");
  env.put(Context.SECURITY_AUTHENTICATION, "simple");
  env.put(Context.SECURITY_PRINCIPAL, "uid=myAdministrator, ou=people,
  ou=myrealm, dc=mydomain");
  env.put(Context.SECURITY_CREDENTIALS, "myAdministrator");
  try {
  DirContext ctx = new InitialDirContext(env);
  String
  sUser="uid=myRegularUser,ou=people,ou=myrealm,dc=mydomain";
  String sOldPassword="myRegularUser";
  String sNewPassword="newpassword";
  for (NamingEnumeration ae = ctx.getAttributes(sUser).getAll();
  ae.hasMore(); ) {
  Attribute attr = (Attribute)ae.next();
  System.out.println("attribute: " + attr.getID());
  ModificationItem[] mods = new ModificationItem[2];
  Attribute mod0 = new BasicAttribute("userpassword",
  sOldPassword);
  mods[0] = new ModificationItem(DirContext.REMOVE_ATTRIBUTE,
  mod0);
  Attribute mod1 = new BasicAttribute("userpassword",
  sNewPassword);
  mods[1] = new ModificationItem(DirContext.ADD_ATTRIBUTE, mod1);
  ctx.modifyAttributes(sUser, mods);
  ctx.close();
  } catch (NamingException e) {
  e.printStackTrace();
  </PRE>
  "Neil Smithline" <[email protected]> wrote in message
  news:[email protected]...
  Two things. First, I'm not exactly sure what password you are trying to
  change. The LDAP server's password or a user's password in the LDAP
  server. Second, could you please post a stack trace.
  Thanks - Neil
  K Wong wrote:
  I am using (javax.naming.directory.DirContext.modifyAttributes) to
  change
  password to our development Weblogic 7.0 embedded LDAP.
  I login as the system administrator (a user in the administratorsgroup),
  but always gets the javax.naming.NoPermissionException - InsufficientAccess
  Rights.
  What user should I use? Any help will be appreciated.

  Hai,
  This condition based execution requires - javascript coding.
  In miscelleaneous tools bar, you have an option of SCRIPT_ITEM writer tool, drag the tool into your WAD layout, and select the properties , choose the editor option and paste your coding. that's it.
  Alternate option :
  in your web application design layout , you will fine XHTML coding editor , there you need to write coding and execute the same.
  Hope this will help to you.
  Assign Points if its really useful.
  Cheers !!!
  Bye
  Regards,
  Giri

• OIM 11.1.1.5: Post Process Event Handler, change password notification

  Hi,
  Products
  OIM 11.1.1.5 BP02
  OAM 11.1.1.5
  OID 11.1.1.5
  Problem
  I have written a post-process event handler which fires when a role is assigned to a user. The event handler calls a plugin which uses the UserManager API to generate and change the user's password.
  I've tested this by assigning a role to the user via the OIM web console. I can see my log messages indicating that the event handler has fired and that the password has been changed.
  However, I expected that when UserManager.changePassword completed, a notification email would then be sent to the user informing them of the new password, but no notification email has been sent.
  The email notifications have been set up correctly, because I have changed the same user's password via the OIM web console and successfully received a Reset Password email.
  So, my questions are:
  1) Am I right in thinking that when you call UserManager.changePassword(), an out-of-the-box ResetPassword email notification should be sent to the user?
  2) Has anyone got this working in 11.1.1.5?
  Some more detailed info
  In my plugin class I'm calling the following from both execute methods (EventResult and BulkEventResult):
  char newpasswd[] = new RandomPasswordGeneratorImpl().generatePassword(user);
  getUserManager().changePassword(userKey, newpasswd, false, null, true);
  logger.info(("Successfully changed password"));
  plugin.xml
       <oimplugins xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
       <plugins pluginpoint="oracle.iam.platform.kernel.spi.EventHandler">
       <plugin
       pluginclass="oracle.iam.PostInsertPlugin"
       version="1.0"
       name="PostInsertPlugin">
       </plugin>
       </plugins>
       </oimplugins>
  $OIM_HOME/server/bin/weblogic.properties
            wls_servername = oim_server1
            app = OIMMetadata
            metadata_from_loc=/home/oracle/eventhandlers
            metadata_file=/metadata/roleuser/custom/EventHandlers.xml
  /home/oracle/eventhandlers/import/metadata/roleuser/custom/EventHandlers.xml
  <?xml version='1.0' encoding='utf-8'?>
  <eventhandlers
  xmlns="http://www.oracle.com/schema/oim/platform/kernel"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://www.oracle.com/schema/oim/platform/kernel orchestration-handlers.xsd">
  <action-handler
  class="oracle.iam.PostInsertPlugin"
  entity-type="RoleUser"
  operation="CREATE"
  name="PostInsertPlugin"
  stage="postprocess"
  order="1002"
  sync="TRUE"/>
  </eventhandlers>
  There are no errors in the OIM out and diagnostic logs apart from the following which occur at OIM startup:
  [2013-01-07T16:29:23.425+00:00] [oim_server1] [ERROR] [IAM-0080075] [oracle.iam.platform.kernel.impl] [tid: [ACTIVE].ExecuteThread: '13' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: oiminternal] [ecid: 2e903d7ef060ab65:66b2de91:13c15d6d9ce:-8000-0000000000000002,0] [APP: oim#11.1.1.3.0] XML schema validation failed for XML /metadata/iam-features-OIMMigration/EventHandlers.xml and it will not be loaded by kernel.
  [2013-01-07T16:29:24.267+00:00] [oim_server1] [ERROR] [IAM-0080075] [oracle.iam.platform.kernel.impl] [tid: [ACTIVE].ExecuteThread: '13' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: oiminternal] [ecid: 2e903d7ef060ab65:66b2de91:13c15d6d9ce:-8000-0000000000000002,0] [APP: oim#11.1.1.3.0] XML schema validation failed for XML /metadata/iam-features-callbacks/event_configuration/EventHandlers.xml and it will not be loaded by kernel.
  Thanks
  dty
  Edited by: oim_user on Jan 7, 2013 5:37 PM

  No notification will be sent if you changepassword using the method from usermanager api.
  You have to trigger the resetpassword event manullay in your code.
  Here is a sample code to create an event for reset password. Once you create event, invoke it from notification service - notify method.
  NotificationEvent event = new NotificationEvent();
  String[] receiverUserIds= {userLogin};
  event.setUserIds(receiverUserIds);
  event.setTemplateName("ResetPasswordNotification");
  event.setSender(null);
  HashMap<String, Object> resolvedData = new HashMap<String, Object>();
  resolvedData.put("userLoginId", userLogin);
  event.setParams(resolvedData);

• Changing password of Sysman and DBSNMP users in Oracle 10g (10.2.0.3.0)

  Hi,
  When i changed my sysman and dbsnmp password, these users are frequently locking.
  For sysman password change i do the following steps.
  1) emctl stop dbconsole
  2) change password of sysman and dbsnmp from sql
  3) Post sysman password change to emoms.properties file
  4) Post DBSNMP password change in targets.xml
  5) emctl start dbconsole.
  DBSNMO AND SYSMAN users were locked.
  Stop dbconsole again
  Unlock the user sysman and dbsnmp
  then again restart dbconsole
  Sysman user locked
  Another thing do we need to have same password for dbsnmp and sysman
  Regards,
  irfanb146

  Now Sysman and DBSNMP users are unlocked after i made the password of sysman change again and they are not locking.
  Following is the message in the browser
  Enterprise Manager is not able to connect to the database instance. The state of the components are listed below.
  Browser is showing All the components are up like instance, Agent and Listener with green arrows upward
  Message was edited by:
  user605066

• Users changing passwords within LDAP authentication

  Hello all,
  I've noticed that if a user uses the 'Membership' authentication to access the portal, they are allowed to change their passwords within the 'user channel' edit section.
  If a user logs in throught the LDAP authentication, this password utility disapears.
  1 - Is there a way to use this password utility when using LADP authentication? Is it just a setting somewhere??
  2 - What are you using to change password if you are using LDAp authentication? i.e. did you create your own password tool??
  Thanks in advance,
  Jason

  Here's how I did it on 6.0:
  I created a bookmark with these properties:
  Bookmark Name: Change Personal Settings
  URL: /amconsole
  When the user clicks on the bookmark, they have to scroll all the way down to the bottom of the window to find the change password option. After changing the password, the user should close the amconsole window WITHOUT clicking on the logout button. Just kill the window.
  If they click "logout" it will log them out of the Portal Server while leaving the desktop window open. It will look like they are still logged in but they are not. They will have to re-login.

• RSOP: Interactive logon: Prompt user to change password before expiration

  Hi,
  I am trying to implement a GPO so that users are prompted to change their password 5 days before it expires. I have done this via -
  Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Enabled
  Interactive Logon: Prompt user to change password before expiration
  Despite doing the above the GPO does not seem to be taking effect. I have run RSOP on my machine and a few users machines and can see that there is a red circle with an X next to
  Interactive Logon: Prompt user to change password before expiration.
  Below is my winlogon.log file but I am not really sure what I am supposed to be looking for. Can anyone help?
  Make a local copy of \\**************.co.uk\sysvol\**************.co.uk\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
  GPLinkSite GPO_INFO_FLAG_BACKGROUND )
  Make a local copy of \\**************.co.uk\sysvol\**************.co.uk\Policies\{91EDC47D-AACF-4DFE-B044-5D29500CECBE}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
  GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
  Make a local copy of \\**************.co.uk\SysVol\**************.co.uk\Policies\{DDE2DDB7-9802-415B-819E-1ADA496DC3E6}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
  GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
  Make a local copy of \\**************.co.uk\sysvol\**************.co.uk\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
  GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
  Make a local copy of \\**************.co.uk\SysVol\**************.co.uk\Policies\{6422C1A4-D958-4F4B-A8AA-EBACC567BD19}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
  GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )
  No template is defined in GPO \\**************.co.uk\SysVol\**************.co.uk\Policies\{43F654AA-56D5-4F2C-B357-1AFEE03D37F2}\Machine.
  Process GP template gpt00000.inf.
  This is not the last GPO.
  08 March 2015 23:06:35
  Copy undo values to the merged policy.
  ----Un-initialize configuration engine...
  Process GP template gpt00001.dom.
  This is not the last GPO.
  08 March 2015 23:06:36
  ----Un-initialize configuration engine...
  Process GP template gpt00002.dom.
  This is not the last GPO.
  08 March 2015 23:06:36
  ----Un-initialize configuration engine...
  Process GP template gpt00003.dom.
  This is not the last GPO.
  08 March 2015 23:06:36
  ----Un-initialize configuration engine...
  Process GP template gpt00004.inf.
  08 March 2015 23:06:36
  ----Configuration engine was initialized successfully.----
  ----Reading Configuration Template info...
  ----Configure User Rights...
  Configure S-1-5-32-544.
  Configure S-1-5-21-778002760-1239436532-1307212239-1002.
  Configure S-1-5-21-778002760-1239436532-1307212239-1016.
  Configure S-1-5-21-778002760-1239436532-1307212239-4078.
  Configure S-1-5-21-778002760-1239436532-1307212239-512.
  Configure S-1-5-21-778002760-1239436532-1307212239-500.
  Configure S-1-5-21-778002760-1239436532-1307212239-513.
  User Rights configuration was completed successfully.
  ----Configure Group Membership...
  Configure **************\Local Admins for Users.
  old memberof tattoo list: *S-1-5-32-555,*S-1-5-32-544,
  object already member of Administrators.
  object already member of Remote Desktop Users.
  new memberof tattoo list: *S-1-5-32-555,*S-1-5-32-544,
  Group Membership configuration was completed successfully.
  ----Configure Security Policy...
  Configure password information.
  Configure account force logoff information.
  System Access configuration was completed successfully.
  Configure machine\software\microsoft\windows nt\currentversion\winlogon\passwordexpirywarning.
  Configure machine\software\microsoft\windows\currentversion\policies\system\enableinstallerdetection.
  Configuration of Registry Values was completed successfully.
  Audit/Log configuration was completed successfully.
  ----Configure available attachment engines...
  Configuration of attachment engines was completed successfully.
  ----Un-initialize configuration engine...
  this is the last GPO.
  Make a local copy of \\**************.co.uk\sysvol\**************.co.uk\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
  GPLinkSite GPO_INFO_FLAG_BACKGROUND )
  Make a local copy of \\**************.co.uk\sysvol\**************.co.uk\Policies\{91EDC47D-AACF-4DFE-B044-5D29500CECBE}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
  GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
  Make a local copy of \\**************.co.uk\SysVol\**************.co.uk\Policies\{DDE2DDB7-9802-415B-819E-1ADA496DC3E6}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
  GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
  Make a local copy of \\**************.co.uk\sysvol\**************.co.uk\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
  GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
  Make a local copy of \\**************.co.uk\SysVol\**************.co.uk\Policies\{6422C1A4-D958-4F4B-A8AA-EBACC567BD19}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
  GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )
  No template is defined in GPO \\**************.co.uk\SysVol\**************.co.uk\Policies\{43F654AA-56D5-4F2C-B357-1AFEE03D37F2}\Machine.
  Process GP template gpt00000.inf.
  This is not the last GPO.
  09 March 2015 16:26:51
  Copy undo values to the merged policy.
  ----Un-initialize configuration engine...
  Process GP template gpt00001.dom.
  This is not the last GPO.
  09 March 2015 16:26:51
  ----Un-initialize configuration engine...
  Process GP template gpt00002.dom.
  This is not the last GPO.
  09 March 2015 16:26:51
  ----Un-initialize configuration engine...
  Process GP template gpt00003.dom.
  This is not the last GPO.
  09 March 2015 16:26:51
  ----Un-initialize configuration engine...
  Process GP template gpt00004.inf.
  09 March 2015 16:26:51
  ----Configuration engine was initialized successfully.----
  ----Reading Configuration Template info...
  ----Configure User Rights...
  Configure S-1-5-32-544.
  Configure S-1-5-21-778002760-1239436532-1307212239-1002.
  Configure S-1-5-21-778002760-1239436532-1307212239-1016.
  Configure S-1-5-21-778002760-1239436532-1307212239-4078.
  Configure S-1-5-21-778002760-1239436532-1307212239-512.
  Configure S-1-5-21-778002760-1239436532-1307212239-500.
  Configure S-1-5-21-778002760-1239436532-1307212239-513.
  User Rights configuration was completed successfully.
  ----Configure Group Membership...
  Configure **************\Local Admins for Users.
  old memberof tattoo list: *S-1-5-32-555,*S-1-5-32-544,
  object already member of Administrators.
  object already member of Remote Desktop Users.
  new memberof tattoo list: *S-1-5-32-555,*S-1-5-32-544,
  Group Membership configuration was completed successfully.
  ----Configure Security Policy...
  Configure password information.
  Configure account force logoff information.
  System Access configuration was completed successfully.
  Configure machine\software\microsoft\windows nt\currentversion\winlogon\passwordexpirywarning.
  Configure machine\software\microsoft\windows\currentversion\policies\system\enableinstallerdetection.
  Configuration of Registry Values was completed successfully.
  Audit/Log configuration was completed successfully.
  ----Configure available attachment engines...
  Configuration of attachment engines was completed successfully.
  ----Un-initialize configuration engine...
  this is the last GPO.
  Jeet S

  ******UPDATE******
  I think I have managed to get this working. I changed the source of the policy to a different GPO. I then did the following -
  From a command prompt run gpupdate (without the force parameter)
  Ran rsop.msc and checked the policy and this time there was no red circle with an X
  Have done the same on a few users machines and it appears to apply successfully. I say this because when you go into the properties for the policy you see the following -
  The policy XYZ was correctly applied
  Just have to wait and see if it actually does what it says on the can.
  Jeet S

• Login as Root password problem (the changed password isn't working!)

  I have enabled root user. I've changed my password for root user a couple of time and I am still not cable to login as root!! (username: root).
  Any thoughts and help? thanks a lot! Alon.

  Hello Stephen,
  Change of password is not done via configtool. Configtool secure store just stores the current password which is taken by SDM during the deployment.
  To change the password of the administrator user, you will need to enable SAP*. Please follow note Note 669848.
  1. open the configtool: C:\usr\sap\<InstenceID>\JC<xx>\j2ee\configtool --> configtool.bat
  ex: C:\usr\sap\J9E\JC09\j2ee\configtool ---> configtool
  2. Activate the "super admin" and enter password(this is your choice) in configtool properties:
  In Config tool: cluster-data>Global Server configuration>services--> com.sap.security.core.ume.service
  find below ume properties and change values as i mentioned
  ume.superadmin.activated=TRUE
  ume.superadmin.password= < enter password>
  3. Save the changes in configtool. click on Save button.
  4. Stop the j2ee engine.
  5. Start the j2ee engine.
  6. Now you login to UME with username "SAP*" and password "what you entered in configtool"
  7. After logging into UME Search for user "administrator" then unlock this user; or if you want to change password you can change it.
  8. Goto config tool follow step 1:
  9. Follow step2: and change ume property values as below:
  ume.superadmin.activated=FALSE
  ume.superadmin.password= (note: seta as default or blank)
  10. Save the change setting in configtool.
  11. Restart the j2ee engine ( Stop and Start).
  12. Now login to user as "Administrator"; you will succussfully loging into ume;
  Hope this helps.
  Regards,
  Snehal

• Server fail to start aft changing password of SID ADM and SAPSERVICE SID

  Please help, i change password of above 2 users on windows, then server fail to start.
  Even after I change back to original password, the system still didn't start.
  Please help as this is urgent.

  Hi,
  sap service is not start in windows due to password change.
  click on start -> run -> services.msc
  navigate to service SAPSID_<instance_nr>
  right click on that -> properties -> logon
  provide the correct user password here.
  proceed same for SAPOsCol service
  regards,
  kaushal

• Be careful of "Prompt user to change password before expiration" policy -- it's counting the days wrong!!

  After several tests, I'm pretty sure that the policy "Interactive logon: Prompt user to change password before expiration" is counting the wrong days. (Note: this policy is in Windows Settings > Security Settings > Local Policies > Security
  Options)  So I think I should post this in the forum in the hope that it could be helpful to others in the same case as me, esp if the policy is pushed out as a domain-wide policy.
  First, the context of the test, ie domain-wide policy settings:
  1. Password minimum age = 2 days
  2. Password maximum age = 4 days
  3. Prompt user to change password before expiration = 2 days
  If everything is going fine, users will be asked to change password when it is changeable (ie it has reached the minimum age).  However, it turns out that users are prompted BEFORE they can change password.  Look at the image below that I got in
  Win7:
  (In WinXP, we have similar prompt when user has just logged in)
  Look at the clock: it's 13:16 (04/12/2013).  Then look at the DOS window in which I ran the "net user /domain" command and read the line "Password expires": it's shown
  06/12/2013 18:09:04.
  A little math would tell me that if users are prompted to change password *2 days* before expiration, the dialog will appear
  ONLY AFTER 04/12/2013 18:09:04.  But since the prompt is shown at 13:16 (ie well before 18:09), that mean the "prompt user...." policy makes mistakes in calculating the moment to show the prompt.
  In other words, if we have the policy set like this:
       Prompt user to change password before expiration =
  N days
  The prompt will actually appear from N+1 days before expiration.
  I would consider this as a bug, but I also suppose it's hard to make Microsoft fix it.  So that's why I make this post to warn others.  In my case, I have received several calls from users complaining that they were prompted to change password
  but their new passwords were always refused and they had no idea what went wrong.  And it took me a lot of effort to sort out what really went wrong.  And in order to work around this stupid bug, I have to change the "Prompt user...." policy
  to N-1 days (before expiration) instead of N days previously.
  Hope this help

  Hi,
  Based on my research, you are right that the prompt policy is implemented by date, which is by design.
  “Set
  Interactive logon: Prompt user to change password before expiration to 5 days. When their password expiration
  date is 5 or fewer days away, users will see a dialog box each time they log on to the domain”, I quoted this sentence from the article below:
  Interactive logon: Prompt user to change password before expiration
  http://technet.microsoft.com/en-us/library/jj852243.aspx
  The problem is consistency!  For Minimum/Maximum password age properties, they are also defined for
  days as well.  But for them, days are exact days, ie a
  multiple of exactly 24 hours.  There is an "Explain" tab for every parameter, but even if you read them through, you can't tell if day means strict multiple of 24 hours or loose definition of days.  I'll leave the exercise to you to read
  them if you like and spare me the article from your KB library.
  As for the password minimum age part, what I mean is that is why users can’t not change their password within 2 days when the prompt appears before the changeable time.
  Anyway, I agree with you that we need to be careful when we configure the password policy because the Prompt policy is not doing calculation by hours.
  Miss, the 2 days is just a TEST EXAMPLE.  Let's say it's
  N days if you was unable to understand.  I wouldn't change N days to N-1 days because of this stupid GUI bug.  As I said earlier and let me repeat it once more,
  Minimum password age = N days is a security policy and it is more important than the user prompt and no security officer with sane mind will change this.

• Cannot change password expired password

  Hi there,
  I am not able to change expired password on Windows server 2012. I am getting the error message that "You must change your password before logging on the first time. Please update your password or contact your system administrator or technical support"
  I had similar issue in Windows 2008 servers and was resolved when I changed the the RDP security layer to negociate. But I couldn't find Session host configuration snap-in since RDS is not enabled.
  Any one faced same issue?
  Thanks,
  Ranjith

  Hi Ranjith,
  How are things going?
  You could try to change the Security Layer to
  RDP Security Layer in the Security section of
  Session Collection properties.
  In addition, if you are using remote desktop over RD Gateway, there is no support for being able to use the “User must change password at next logon”.
  Please refer to these two threads which is similar with your issues.
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/320ef31a-1160-4c33-9912-79a3838fc24d/forcefuly-user-should-change-his-password-when-loggin-for-the-first-time?forum=winserverTS
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/8761e29a-72a0-4f9c-b31b-ff81633020dd/user-must-change-password-setting-using-rdp-to-server-2012?forum=winserverTS
  Hope this helps.
  Best Regards,
  Tina

• EP7 Change Password iView without reverting to NW04 UME UI

  Hi,
  We've just upgraded from EP6 to EP7. Is there any way to activate the old "User Password" iview without having to disable the Web Dynpro UIs (as per SAP note 869852)? We don't want users to change or view their profile, we just want to let them change their password. But we don't want to lose the WD UI for administrators either!
  Failing that, is it possible to switch off the other tabs on the User Profile?
  I've tried removing the Manage_My_Profile UME action from eu_role and replacing it with just Manage_My_Password, but all the rest of the User Profile is still visible - plus now it gives the misleading warning "You are not authorized to edit your user mapping data" even though they can edit the user mapping with the User Mapping iview...
  And how come the User Mapping iview from EP6 still works, but not Change password??
  Many thanks & regards
  Jane

  Neil Malik wrote:>
  <snip>
  Failing that, is it possible to switch off the other tabs on the User Profile?
  </snip>
  I had a similar problem with the User Profile screen.  We want to let the user have the "User Mapping" tab, but definitely not the ability to edit their own groups or roles. 
  I have a custom "Every User" role, to which I delta-linked the standard "Portal Personalization" workset.  Then I opened the Every User role and clicked Properties.  By default, the properties of Manage_All through Manage_Users were all set to No.  I set Manage_My_Profile to Yes.  This resulted in just 4 tabs displaying when a user clicks Personalize: General Information, Contact Information, Additional Information, and User Mapping for System Access.  And when a user clicks the Modify button, any fields that we are pulling from Active Directory via LDAP are greyed out.  This sounds similar to what you tried already, but wanted to let you know that you can indeed turn tabs on and off.
  Hope this helps!
  Karen Ehrich

• "user must change password at next logon" flag for multiple users

  2008 R2 domain with a couple of 2012 R2 DCs.
  john.user is in the Users OU. if I right-click john.user, choose properties, go to the account tab, and check "user must change password at next logon," the next time john.user tries to log in, he gets prompted to change his password. also the
  powershell command
  get-aduser -filter * -Properties * | ? name -like "*john.user*" | select name,pwdlastset
  shows that john.user's pwdlastset is 0. all of this is as expected.
  but if I  highlight every account in the Users OU, right-click, properties, Account, "user must change password at next logon," it appears that nothing whatsoever happens. john.user doesn't get prompted to change his password at his next
  logon, and his pwdlastset is something like 130622757432306111.
  is this the expected behavior? why are the Account tab and/or the "change password at next logon" box available to me when selecting multiple users if they aren't meant to work?

  ah. thank you sir. *two* checkboxes. *two.* of course.
  I had enough OUs under my Users OU that I just used powershell to catch them all at once:
  $enabledusers = get-aduser -filter * -SearchBase "ou=users,dc=domain,dc=local" -Properties distinguishedname,pwdlastset |
      where {$_.enabled -eq "true" -and $_.distinguishedname -notlike "*ou=service accounts*"}
  foreach($enableduser in $enabledusers) {
      $enableduser.pwdlastset = 0
      Set-ADUser -instance $enableduser

• Unable to login when change password option is enabled

  Hi,
    I have configured remote vpn on my Cisco ASA and users connecting to this will use Cisco VPN dialer and gets authenticated with the Windows 2008 domain controller credentials. Now the problem I face is, when i set the option for user-A as "user must change the password during next login" it doesn't accept , it accepts only when I uncheck only then the user-A will be able to login.
  Any ideas what option or configuration do I to do so that it can popoup for changing the password?
  FYI I use windows 7 profession edition with Cisco VPN dialer client ver. 5.0.04.0300. I am unable to find "windows logon properties" under the "options" menu.

  Hi,
    I managed to get the password change option pop-up when "Change password during next login" set for for the user-A in windows 2008 Active Directory. But now the issue is, I enter the old password, it accepts & then its pops up to enter me the new password twice, when I enter the new password with some special charecters it stills pops me up to enter the new password with special charecters. After 2-3 attempts it disconnects. It will allow me to connect only when I un-check the "change password during next login"
  Any ideas?

• Number of days before user must change password.

  Hi,
  I understand how does this Essbase server setting work:
  Essbase Server Properties - Security Tab
  "Number of days before user must change password"
  But my question is:
  Does anyone know how "to mark" certain group of Users (mainly system admin accounts) - that this setting will not force periodical passoword change for "marked" users ?
  Any ideas ?
  Br, ripasso

  There are a couple of things you could do to circumnavigate this all or nothing option.
  You could write a maxl statement that would update the user profile to force the user to change their password e.g.
  alter user Fiona set password_reset_days immediate;
  I would write a program using the API that lists all users in the group and then dynamically create the maxl script that uses the statement above.
  If you can not use the API then I guess you could do a maxl only solution (using display user command) and do some text file manipulation in perl (or another scripting language).
  There are probably more solutions/ideas out there.

• Change password via 3-Tier Desktop Intelligence

  Hi everyone,
  It would be highly appreciated if you could tell me how to change password via 3-Tier Desktop Intelligence.
  Version: XI3.0, XI3.1
  Thanks a lot!
  Lisa

  No problem.
  And for a work around you can have users
  login directly to the CMS (2-tier)
  change password
  then close deski
  as long as they know the difference they can then login to deski 3-tier with their new password.
  Another option would be to
  lookup the user account in CMC
  in user properties check the box "must change password at next login"
  Then even 3-tier users will be prompted to change their password the next time they login
  Regards,
  Tim