Changing a username in Active Directory - does this update People picker, User Info List etc?

Similar Messages

• Problem during the changing of  Password in Active Directory

  Hello All !
  I am facing a problem during the password modification
  in active directory, i got the same exception as other are getting i.e
  javax.naming.OperationNotSupportedException: [LDAP: error code  53 - 00002077: SvcErr: DSID-03190959, problem 5003 (WILL_NOT_PERFORM), data 0
                     Can any body help me how i will come to know that 128 bit
    Encryption is done successfully. Although i Installed the  MS High Encryption  Pack but it's registry is not done in Conrol Panel.
  is this a problem(as i think) ?
      I am giving the code please check it out->
                        import java.util.Hashtable;
  import javax.naming.*;
  import javax.naming.ldap.*;
  import javax.naming.directory.*;
  //import java.io.*;
  //import javax.net.ssl.*;
  //import java.security.*;
  import java.io.UnsupportedEncodingException;
  public class setpassword
       public static void main (String[] args)
            Hashtable env = new Hashtable();
            String adminPassword = "";
            String userName = "ou=MCA,ou=Trainee,dc=ControlsNet,dc=local";
            String newPassword = "yadav";
            String keystore = "D:\\j2sdk1.4.2_12\\jre\\lib\\security\\cacerts";
            System.setProperty("javax.net.ssl.trustStore",keystore);
            env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
            env.put(Context.SECURITY_AUTHENTICATION,"simple");
            env.put(Context.SECURITY_PRINCIPAL,"[email protected]");
            env.put(Context.SECURITY_CREDENTIALS,adminPassword);
            env.put(Context.SECURITY_PROTOCOL,"ssl");
            String ldapURL = "ldap://gateway.ControlsNet.local:636/";
            env.put(Context.PROVIDER_URL,ldapURL);
            try {
                 LdapContext ctx = new InitialLdapContext(env,null);
            ModificationItem[] mods = new ModificationItem[1];
                 String newQuotedPassword = "\"" + newPassword + "\"";
                 byte[] newUnicodePassword = newQuotedPassword.getBytes("UTF-16LE");
                 mods[0] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute("unicodePwd", newUnicodePassword));
                 ctx.modifyAttributes(userName, mods);
            System.out.println("Reset Password for: " + userName);     
                 ctx.close();
            catch (NamingException e) {
                 System.out.println("Problem resetting password: " + e);
            catch (UnsupportedEncodingException e) {
                 System.out.println("Problem encoding password: " + e);
  Please reply me immideiately as soon as you see this problem.
  I think some of u already solved this problem. thanks in advance.

  Believe it or not, looks similar to the problem in the post http://forum.java.sun.com/thread.jspa?threadID=580113&tstart=0
  More unbelievable is the huge security hole in your network !String adminPassword = "";
  env.put(Context.SECURITY_PRINCIPAL,"[email protected]");
  env.put(Context.SECURITY_CREDENTIALS,adminPassword);An administrator with a blank password !
  The ldap standard (rfc 2251) defines an anonymous user as a user with a null passsword. By default, Active Directory does not allow anonymous users to perform searches against the directory, let alone reset a user's password.

• I am trying to activate new itunes card. I am getting error message: The code you have entered has not been properly activated. Does this mean the store did something wrong or me?

  I am trying to activate new itunes card. I am getting error message: The code you have entered has not been properly activated. Does this mean the store did something wrong or me?

  Yes, the store didn't properly activate the card. If the store is nearly then you could try going back and asking them to do so, if it isn't (or if they can't/won't help) then try contacting iTunes Support (you will probably need to give them images of the front and back of the card, and possibly its receipt) : http://www.apple.com/support/itunes/contact/ - click on Contact iTunes Store Support on the right-hand side of the page, then iTunes Cards And Codes

• Active Directory as readonly UME except of user's password

  Hi there,
  we would like to configure the portal-datasource to connect to the active directory read-only. However, (LDAP) users must be able to change there passwords. How could the xml file look like.
  We checked out http://help.sap.com/saphelp_nw70/helpdata/de/46/07a02c920f4f0fe10000000a114a6b/frameset.htm, but this doesn't work. Here the portal tries to create ldap users and fails as no mandatory fields are writeable.
  Also we tried to dsitriubte the active directory in one writeable and one readable. However according to help.sap.com (http://help.sap.com/saphelp_nw70/helpdata/en/4e/4d0d40c04af72ee10000000a1550b0/frameset.htm) it is not possible to assign users from one source to groups of another.
  Does anybody know a solution or a hint?
  Thanks a lot and regards
  Stephan

  Hi Michael,
  thanks for your help. We finally solved the issue using the "homefor"-approach:
  <dataSources>
      <dataSource id="PRIVATE_DATASOURCE"
                  className="com.sap.security.core.persistence.datasource.imp.DataBasePersistence"
                  isReadonly="false"
                  isPrimary="true">
          <homeFor>
              <principals>
                      <principal type="group"/>
                    <principal type="account">
                            <nameSpace name="$serviceUser$">
                                <attribute name="SERVICEUSER_ATTRIBUTE">
                                     <values>
                                          <value>IS_SERVICEUSER</value>
                                     </values>
                                </attribute>
                            </nameSpace>
                      </principal>
                      <principal type="user">
                           <nameSpace name="$serviceUser$">
                                <attribute name="SERVICEUSER_ATTRIBUTE">
                                     <values>
                                          <value>IS_SERVICEUSER</value>
                                      </values>
                                </attribute>
                           </nameSpace>
                      </principal>
                  <principal type="team" />
                  <principal type="ROOT" />
                  <principal type="OOOO" />
              </principals>
          </homeFor>
          <notHomeFor/>
          <responsibleFor>
              <principals>
                   <principal type="group"/>
                   <principal type="user"/>
                   <principal type="account"/>
                  <principal type="team"/>
                  <principal type="ROOT" />
                  <principal type="OOOO" />
              </principals>
          </responsibleFor>
          <notResponsibleFor/>
          <attributeMapping />
          <privateSection/>
      </dataSource>
      <dataSource id="CORP_LDAP"
           className="com.sap.security.core.persistence.datasource.imp.LDAPPersistence"
           isReadonly="false"
           isPrimary="true">
           <homeFor>
                <principal type="account"/>
                <principal type="user"/>
           </homeFor>
           <notHomeFor>
                <principal type="user">
                     <nameSpace name="$serviceUser$">
                          <attribute name="SERVICEUSER_ATTRIBUTE">
                               <values>
                                    <value>IS_SERVICEUSER</value>
                               </values>
                          </attribute>
                     </nameSpace>
                </principal>
                <principal type="account">
                     <nameSpace name="$serviceUser$">
                          <attribute name="SERVICEUSER_ATTRIBUTE">
                               <values>
                                    <value>IS_SERVICEUSER</value>
                               </values>
                          </attribute>
                     </nameSpace>
                 </principal>
            </notHomeFor>
           <responsibleFor>
  Thanks and regards
  Stephan

• HT6203 Did this update make a physical change? Branching from that question, will this update confuse lets say, a parent that isn't savvy?

  Did this update make a physical change? Branching from that question, will this update confuse lets say, a parent that isn't savvy?

  Did this update make a physical change?
  No
  will this update confuse lets say, a parent that isn't savvy?
  This will depend on whether they are savvy enough to open Macintosh HD > Applications > Utilities > AirPort Utility on their Mac , click on the picture of the AirPort, and then click the Update button.
  It that sounds too complicated, best to let someone else handle the update.

• I need to change my apple id, can I do this without losing all my info and purchases?

  I need to change my apple id, can I do this without losing all my info and purchases?

  You won't be able to update your purchases. You will have to re purhcase apps, music, etc. using the new Apple iD.
  FYI ...    Media cannot be transferred from one account to another and Apple ID accounts cannot be merged.

• HT6065 Does this update fix the Facetime HD iSight Camera issue?

  Does this update fix the Facetime HD iSight Camera issue?

  Looking at its release notes, it does not specify a fix for that problem. However, you should install this update, as this fixes other bugs and improve performance. Open  > Software Update, and OS X 10.9.1 will show up

• HT1222 Does this update address the latest security breech?

  Does this update address the latest security breech?

  When you click on the update, it provides you an explanation of what it does, but yes, it was released to address the security vulnerability.

• Photoshop elements does not open, says "gathering user info...."

  photoshop elements does not open, says "gathering user info...."

  Hi,
  Please try couple of probable solutions as mentioned below:
  Solution 1:
  1. Close Elements.
  2. Launch the Photoshop Elements Welcome Screen and hold down ctrl + alt + shift as you click Editor.
  3. Continue to hold the keys until you see a message box asking if you want to delete Photoshop Elements settings file; click Yes. Elements will open with default preferences.
  Solution 2: In case any network printer is attached try to launch without network or printer uninstall or make different printer as default.
  Solution 3: Try launching with anti-virus off or removing PSE from conflicting list.
  Solution 4:
  On the drive on which you have installed PSE,on my machine it is on C:
  Go  to C:\Program Files\Adobe\Photoshop Elements  9\Locales\<locale>\Plug-Ins\Import-Exportand you will find twain  plug-in. Remove that plug-in from that location and copy it somewhere  else.
  Now launch PSE and check if it works.
  Solution 5: Try with admin account or right click and select run as admin. or try directly from .exe
  For related post for Twain please see this:http://forums.adobe.com/message/2954743#2954743
  Thanks,
  Garry

• HT1692 why does my ipad not pick up distribution lists from my contacts list?

  why does my ipad not pick up distribution lists from my contacts list?

  What is selected under the Music tab for your iPhone sync preferences with iTunes?

• "Domain Users" group in Active Directory does not belong to any Group Membership in LC

  Active Directory user belonging to "Domain Users" group does not belong to any Group Membership in LC, why does it not belong to "Domain Users" group?
  Any way to correct this issue, without changing group membership on AD side?
  If Active Directory user is member of "Domain Admins" or "Users" then these show same group membership in LC.
  Thanks.

  If you want to use the Domain Users group for the purpose of representing all the users then you can use the "All principals in domain xxx" group which is created by UM.
  Coming back to Domain Users group. For determining group membership in AD UM uses "member" attribute of the group object. "Domain Users" group is treated differently by AD. It is the default primary group for all the users and normally members of the primary group are not specified using the member attribute.So when we sync the data from AD "Domain Users" membership does not get completed.

• Changing to a new Active Directory

  We are synchronising Shared Services to Microsoft Active Directory to create our main user directory. We add the AD accounts to native groups, which are provisioned with Essbase and Planning roles. We apply security filters for our Planning cubes directly to the AD accounts.
  We will soon be switching to a new hosting provider and they will maintain the Active Directory. We are expecting them to create a brand new AD, but with the same usernames as the old one.
  The question is, if we point Shared Services to a brand new AD that has all the same usernames, will the user/group links and the security filters be retained?
  Does the username act as the identifier, or is there another hidden identifier that might be different in a new AD account and therefore mean Shared services does not recognise it?
  Does anybody have any experiences to share from going through a similar process?

  Hi,
  perform homogeneous system copy if you migrate from one server to other.
  find document at service.sap.com/systemcopy
  if you just add you local system to domain then look following
  Domain name change for an existing SAP System
  regards,
  kaushal

• How to handle SQL connection if password Active directory always change? (Connection using Active directory via network SQL 2012 )

  I have 3 server (Web server, database sql 2012 server and Active directory). I'm using sqlsvr version 3.0,  PHP version 5.3 ,IIS version 7 and windows server 2008.
  Right now my php connection to SQL 2012 using AD id, so How to handle if password on active directory change?

  Solved : Using Kaberos

• Weblogic with Active Directory Authentication provider problem: DN for user ....: null

  I have a java application (SSO via SAML2) that uses Weblogic as a Identity Service Provider. All works well using users created directly in Weblogic. However, I need to add support for Active Directory. So, as per documentation:
  - I defined an Active Directory Authentication provider
  - changed it's order in the Authentication Providers list so that it comes first
  - set the control flag to SUFFICIENT and configured the Provider Specific; here's the concerned part in config.xml:
  <sec:authentication-provider xsi:type="wls:active-directory-authenticatorType">
          <sec:name>MyOwnADAuthenticator</sec:name>
          <sec:control-flag>SUFFICIENT</sec:control-flag>
          <wls:propagate-cause-for-login-exception>true</wls:propagate-cause-for-login-exception>
          <wls:host>10.20.150.4</wls:host>
          <wls:port>5000</wls:port>
          <wls:ssl-enabled>false</wls:ssl-enabled>
          <wls:principal>CN=tadmin,CN=wl,DC=at,DC=com</wls:principal>
          <wls:user-base-dn>CN=wl,DC=at,DC=com</wls:user-base-dn>
          <wls:credential-encrypted>{AES}deleted</wls:credential-encrypted>
          <wls:cache-enabled>false</wls:cache-enabled>
          <wls:group-base-dn>CN=wl,DC=at,DC=com</wls:group-base-dn>
  </sec:authentication-provider>
  I configured a AD LDS instance(Active Directory Lightweight Directory Services) on a Windows Server 2008 R2. I created users and one admin user "tadmin" which was added to Administrators members. I also made sure to set msDS-UserAccountDisabled property to FALSE.
  After restarting Weblogic I can see that the AD LDS's users and groups are correctly fetched in Weblogic. But, when I try to connect with my application, using Username:tadmin and Password:<...> it does not work.
  Here's what I see in the log file:
  <BEA-000000> <LDAP Atn Login username: tadmin>
  <BEA-000000> <authenticate user:tadmin>
  <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
  <BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>
  <BEA-000000> <DN for user tadmin: null>
  <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
  <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
  <BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>
  <BEA-000000> <DN for user tadmin: null>
  <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
  <BEA-000000> <javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User tadmin denied
    at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:229)
    at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
  So, I tried to look why do I have: <DN for user tadmin: null>. Using Apache Directory Studio I reproduced the ldap search request used in Weblogic and, sure enough, I get no results. But, changing the filter to only "(&(cn=tadmin)(objectclass=user))" (NOTICE, no userAccountControl), it works; here's the result from Apache Directory Studio:
  #!SEARCH REQUEST (145) OK
  #!CONNECTION ldap://10.20.150.4:5000
  #!DATE 2014-01-23T14:52:09.324
  # LDAP URL     : ldap://10.20.150.4:5000/CN=wl,DC=at,DC=com?objectClass?sub?(&(cn=tadmin)(objectclass=user))
  # command line : ldapsearch -H ldap://10.20.150.4:5000 -x -D "[email protected]" -W -b "CN=wl,DC=at,DC=com" -s sub -a always -z 1000 "(&(cn=tadmin)(objectclass=user))" "objectClass"
  # baseObject   : CN=wl,DC=at,DC=com
  # scope        : wholeSubtree (2)
  # derefAliases : derefAlways (3)
  # sizeLimit    : 1000
  # timeLimit    : 0
  # typesOnly    : False
  # filter       : (&(cn=tadmin)(objectclass=user))
  # attributes   : objectClass
  #!SEARCH RESULT DONE (145) OK
  #!CONNECTION ldap://10.20.150.4:5000
  #!DATE 2014-01-23T14:52:09.356
  # numEntries : 1
  (the "[email protected]" is defined as userPrincipalName in the tadmin user on AD LDS)
  As you can see, "# numEntries : 1" (and I can see as result the entry "CN=tadmin,CN=wl,DC=at,DC=com"  in Apache Directory Studio's interface); if I add the userAccountControl filter I get 0.
  I've read that the AD LDS does not use userAccountControl but "uses several individual attributes to hold the information that is contained in the flags of the userAccountControl attribute"; among those attributes is msDS-UserAccountDisabled which, as I said, I already set to FALSE.
  So, my question is, how do I make it work? Why do I have "<DN for user tadmin: null>" ? Is it the userAccountControl ? If it is, do I need to do some other configuration on my AD LDS ? Or, how can I get rid of the userAccountControl filter in Weblogic?
  I didn't seem to find it in config files or in the interface: I only have "User From Name Filter: (&(cn=%u)(objectclass=user))", there's no userAccountControl.
  Another difference I noticed is that, even though in Weblogic I have set ssl-enabled flag to false, in the logs I see ldaps and not ldap ( I'm not looking to setup something production-ready and I don't want SSL for the moment ).
  Here are some other things I tried but did not change anything:
  - the other "msDS-" attributes were not set so I tried initializing them to some value
  - I tried other users defined in AD LDS, not tadmin
  - in Weblogic I added users that were imported from AD LDS in Roles and Policies> Realm Roles > Global Roles > Roles > Admin
  - I removed all userAccountControl occurrences that I found in xml files in Weblogic (schema.ms.xml, schema.msad2003.xml)
  Any thoughts?
  Thanks.

  I managed to narrow it down: the AD LDS does not support the userAccountControl.
  Anyone knows how I can configure my Active Directory Authentication Provider in Weblogic so that it does not implicitly use userAccountControl as filter?
  <BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)> 

• Active Directory, single sign-on and  SRM Users

  We are in the process of installing SRM 7.0. using the Classic Scenario. I am seeking clarification around the creation of users in that system given the following:
  - My Basis colleagues are in the process of implementing single sign-on using Active Directory for our SAP Portal, SAP Business Warehouse and SRM systems.
  - Single sign-on will not  at this point be used for our SAP ECC 6.0 system
  My questions are:
  1. If active directory is being used do we need to create actual users within the SRM system?
  2. If actual users in the SRM system are not required, does this have any impact on the creation of the Organizational structure in SRM from the SAP ECC HR hierarchy?
  Many Thanks

  Hi Claire,
  The Single Sign On work only if user exist on every systemes.
  For example :
  If you connect trough portal to access ECC and SRM, your user id must exist in ECC and SRM.
  For Active Directory you can synchronize your user table to AD by using LDAP option.
  The best way is to configure a CUA for ECC and SRM, use the UME of Portal on ECC and synchronize the CUA to Active Directory.
  Finally use the SSO certificate between Portal ECC and SRM.
  Regards,
  Gilles SEBBAG
  Sap Technical Consultant.