Author: Dinesh PV
This article explains how to disable the password policies set for Active Directory and eDirectory. After you have disabled the password polices, you can configure Novell SecureLogin to change Active Directory and eDirectory users’ passwords, simultaneously.
Table of Contents:
3. Disabling Active Directory Password Policy Settings
4. Disabling eDirectory Password Policy Settings
5. Changing Active Directory and eDirectory User Password
5.1Configuring Change Password Resource List to Select Both the Directories
With Novell SecureLogin 7.0 installed in LDAP GINA mode, you can change the passwords of eDirectory and Active Directory users at the same time.
To use this functionality, you must specify Active Directory and eDirectory passwords as per the password policy setting or disable the password policies for both the directories.
If you attempt to change the user password for both Active Directory and eDirectory when the password policies for both the directories are enabled, one of the following happens:
- Password policies of both the directories take effect, which makes the password policy either complex or invalid.
- Password change might fail for one of the directory because of a mismatch of the password policy.
The procedures explained in the document apply to:
- Novell SecureLogin 7.0 or later.
- Microsoft Windows 2003 server with Active Directory and eDirectory server 8.8 SP4.
- Novell SecureLogin must be installed in eDirectory LDAP GINA mode on workstation connected to Active Directory domain.
By default, Active Directory password policy is enabled.
- Click Start > Programs > Administrative Tools > Domain Security Policy.
- From the left pane, select Security Settings > Account Policies > Password Policy.
- Change the Password Policy settings with the following values:
Policy Value Enforce password history 0 Maximum password age 0 Minimum password age 0 Minimum password length 0 Password must meet complexity requirements Disabled Store password using reversible encryption Disabled
- After you have set the value for a policy, click OK.
- Exit the administrative tool.
- Restart the Group Policy by running the gpupdate /force command from the command prompt.
By default, eDirectory password policy is disabled. If it is enabled, do the following to disable it.
- Login to iManager as eDirectory administrator user.
- From Roles and Tasks select Password > Password Policies.
- Click the configured password policy, then the Policy Assignment tab.
- From the Assign to list, select and remove the user or container object to which the password policy is applied.
- Click Apply to save your changes.
- Click OK to exit.
- Login to Novell SecureLogin in LDAP GINA mode.
- Press Ctr+Alt+Delete, then select Change Password.
- From the Change Password Resource list, select both Active Directory and eDirectory domain.
- Specify the old password and new password.
- Click OK.
Both Active Directory and eDirectory user passwords are changed at the same time.
To configure the Change Password Resource list to always select both Active Directory and eDirectory domains, create a registry key and set the value.
- Click Start > Run, then type regedit.
- Browse to HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login\LDAP.
- Create a DWORD registry key named DisableCADUserSelection.
- Set the value of the registry key to 1.
Disabling Active Directory and eDirectory password policies synchronizes the password of both the directories after every LDAP password change operation.