<event>
Contains information about changes to a password.
Schema Hierarchy
Syntax
<event>
<change-type>
</change-type>
<time>
</time>
<performed-by>
</performed-by>
<error-code>
</error-code>
</event>
element
Attributes and Elements
The following sections describe attributes, child elements, and parent elements.
Attributes
None
Child Elements
| Element | Min Occurs | Max Occurs | Description |
|---|---|---|---|
<change-type> |
1 |
1 |
Contains SET if a new password was set. Contains CHANGE if an existing password was changed to a new password. |
<time> |
1 |
1 |
Contains the time the password was set or changed. |
<performed-by> |
1 |
1 |
Contains the user ID of the user who performed this password change or set. |
<error-code> |
1 |
1 |
Contains an error code. For more information, see the Remarks section. |
Parent Elements
| Element | Description |
|---|---|
Contains information about one or more password change events. |
Remarks
The error-code can be any of the following values.
| Value | Description |
|---|---|
access-denied |
The account that is calling this method is not a member of the MIISPasswordChange group. Only members of this group can change the password. |
bad-password |
The specified OldPassword parameter does not match the password for the account. Verify that you are using the correct password for this parameter. |
ma-access-denied |
The account with the management agent does not have the right to set the password. Verify that the account to run the management agent is a member of the MIISPasswordChange group. |
ma-credentials-failure |
The management agent was unable to log on to the connected directory using the stored credentials. Verify that the management agent credentials are correct. For more information about configuring Active Directory management agent credentials, see "Connect to an Active Directory Forest" in the Microsoft Forefront Identity Manager 2010 (FIM) Help. For more information about configuring the credentials for the management agent for Sun ONE Directory Server 5.1 (formerly iPlanet Directory Server) and Netscape Directory Server 6.1, see "Specify logon information" in the FIM Help. |
ma-encryption-not-enabled |
The management agent did not set the password because 128-bit encryption has not been configured on the connection that is used by the management agent to communicate with the connected directory. Enable this encryption on your network. |
ma-feature-not-supported |
The management agent does not support password changes. |
ma-object-type-not-supported |
The management agent does not support password changes on this object type. |
new-password-violate-policy |
The specified new password does not comply with the password policy that was set by the administrator. Verify that the new password complies with the password policy that was set by the administrator. |
new-password-ill-formed |
The specified new password cannot be used as a password because the parameter contains characters that cannot be entered from a keyboard. Verify that the new password parameter contains only characters that can be entered from a keyboard. |
object-newly-provisioned |
The object has been provisioned as a new object, but the object has not been created in the connected directory. You cannot perform password operations until the object has been exported to the connected directory. |
object-not-found |
The object has been deleted from the server. |
password-sync-disabled |
The password synchronization setting for the specified management agent is not enabled. Enable password synchronization for the specified management agent. |
partition-not-configured |
The specified object is in a partition that has not yet been configured. Configure the partition using Synchronization Service Manager. For more information about configuring an Active Directory Domain Services (AD DS) partition, see "Configure directory partitions" in the FIM Help. |
server-down |
The FIM Synchronization Service server could not connect to the server that contains the partition for the object. Verify that the server that contains the partition is running and is connected to the network. |
time-difference-at-dc |
The new password cannot be set because the time that is indicated on the Microsoft Identity Integration server is more than five minutes from the time that is indicated on the AD DS server. By default, the time difference between servers must be less than or equal to five minutes. Synchronize the times between the servers. |