Getting WILL_NOT_PERFORM error when trying to enable user via LDAP

Question

I'm trying to create a new Active Directory user via ldap, but the user is disabled on creation. I am trying to set the userAccountControl attribute to 512, but I am getting an error WILL_NOT_PERFORM. I've read this is because the password isn't being set, but I can't tell why. Creating the user with the userPassword attribute set is working fine.

Here is the code:

    // Create a container set of attributes
    Attributes container = new BasicAttributes();

    // Assign the properties we need to set on the user
    container.put(new BasicAttribute("objectClass", "user"));
    container.put(new BasicAttribute("cn", userName));
    container.put(new BasicAttribute("sAMAccountName", userName));
    container.put(new BasicAttribute("name", userName));
    container.put(new BasicAttribute("givenName", userName));
    container.put(new BasicAttribute("userPassword", password));

    String fullDomainName = getFullUserName(userName);
    // Create the entry
    try{
        context.createSubcontext(fullDomainName, container);
    }catch(Exception e){
        System.err.println("Error creating user: " );
        e.printStackTrace();
        throw e;
    }

    ModificationItem[] userMods = new ModificationItem[1];
    userMods[0] = new ModificationItem(InitialLdapContext.REPLACE_ATTRIBUTE, new BasicAttribute("userAccountControl", "512"));
    try{
        context.modifyAttributes(fullDomainName, userMods);
    }catch(Exception e){
        System.err.println("Could not update userAccountControl flag");
        e.printStackTrace();
        throw e;
    }

The first part where I create the user works, the 2nd part where I try to set the userAccountControl flag fails. Any help would be greatly appreciated. Thanks!

score 3 · Accepted Answer · edited May 23 '17 at 10:34

I found the problem...I had to use the unicodePwd attribute and make sure it was properly encoded:

    final byte[] quotedPasswordBytes = ('"'+password+'"').getBytes("UTF-16LE");
    container.put(new BasicAttribute("unicodePwd", quotedPasswordBytes));

I found the answers here:

How do I resolve "WILL_NOT_PERFORM" MS AD reply when trying to change password in scala w/ the unboundid LDAP SDK?

http://www.dirmgr.com/blog/2010/8/26/ldap-password-changes-in-active-directory.html

score 0 · Answer 2 · answered Feb 15 '12 at 20:17

0

Are you connecting to LDAP as a user who has permissions to do this? Or are you connecting to LDAP as either this user, or another user with limited permissions? Perhaps you have the rights to create a new user but not to execute this kind of modify operation? Just a thought, its something I've run into before and beat my head against the wall before realizing my mistake. Good luck

answered Feb 15 '12 at 20:17

snappymcsnap

2,050
2
29
53

I'm connecting as the administrator. I don't know if he has permissions to execute the modify operation...how can I check? – Osman Feb 15 '12 at 20:23
@Osman If you are connecting as the admin then that is not your problem. Sorry I cannot help more, we don't use AD for our LDAP server so I'm not as familiar with it – snappymcsnap Feb 15 '12 at 20:55

Getting WILL_NOT_PERFORM error when trying to enable user via LDAP

2 Answers2

Linked