0

I'm using Java ldaptive library to communicate with Active Directory via LDAP protocol. My problem is as follows: I need to have password reset feature, honoring password history and complexity requirements, but ignoring minimum password age rule. I perform password reset using admin account:

modifyRequest = new ModifyRequest(userLdapEntry.getDn(),
                new AttributeModification(
                        AttributeModificationType.REPLACE,
                        new UnicodePwdAttribute(password)));
        modifyRequest.setControls(new LdapPolicyHintsControl(getADPolicyHintsEnforceFlag(), false));

        new ModifyOperation(connection).execute(modifyRequest);

The control added is documented on Microsoft website as control enforcing password history requirements link

However, as suggested in this answer, it enforces also minimum password age rule, which is against the documentation.

Any idea how to make it work as described in documentation?

Konrad Gancarz
  • 3
  • 2

1 Answers1

1

The documentation is wrong. You are not going to be able to make it work like that. The Minimum Password Age rule will be honored and you cannot override it through code.

Note that in Active Directory, unlike a typical LDAP server, it does not enforce password policy like you think it would. Password policy is managed by Group Policy and enforced in Windows, specifically by the Windows LSASS.exe process.

Since you configure Password policy via Group Policy. Those settings are written directly to the Security Hive on the Domain Controller. This is where LSASS reads them from. The only time those settings are overwritten is when you change the password directly from ADUC.

Other than AD tool, you would have to write a password filter .dll that runs within the LSASS process:

Custom Password Filters https://blogs.technet.microsoft.com/tristank/2005/07/18/custom-password-filters/

Password Filters https://msdn.microsoft.com/en-us/library/windows/desktop/ms721882(v=vs.85).aspx

This information was given to me by a Microsoft PSS Field Engineer when I brought this question up to him.

T-Heron
  • 5,385
  • 7
  • 26
  • 52