SetPassword Method
Sets the password on a connector space object to a new password. This method requires that you enable password synchronization for the management agent. To use this method, you must be logged on as a member of the MIISPasswordSet security group.
mof
string SetPassword( [in] string NewPassword,
[in] bool ForceChangeAtLogon,
[in] bool UnlockAccount, [in] bool EnforcePasswordPolicy
);
Parameters
| In | Language | Name | Data Type | Description |
|---|---|---|---|---|
1 |
NewPassword |
string |
Contains the new password. |
|
1 |
ForceChangeAtLogon |
bool |
True to force a user password change at the next logon. The default is False. Note This flag works only with the management agent for Active Directory Domain Services (AD DS) and the management agent for the Active Directory global address list (GAL). For other management agents, the operation-not-supported exception is thrown. |
|
1 |
UnlockAccount |
bool |
True to unlock an account in the connected directory CD. The default is False. Note This flag works only with the management agent for AD DS and the management agent for the Active Directory GAL. For other management agents, the operation-not-supported exception is thrown. |
|
1 |
EnforcePasswordPolicy |
bool |
True to validate the password using the password policy before setting it for the user. The default is False. This parameter is optional. |
Name : SetPassword
Return Value
string
Returns a string that contains the results of the method. The return value can be one of the following values.
| Name | Description |
|---|---|
success |
The call was successful and the password was changed to the NewPassword parameter. |
access-denied |
The account that is calling this method is not a member of the appropriate group that can change passwords in the connected data source. Verify that the account that is running this method can change passwords in the connected data source. |
ma-access-denied |
The account with the management agent does not have the right to set the password. Verify that the account that is running the management agent can change passwords in the connected data source. |
ma-concurrent-execution |
The management agent cannot set the password because either another management agent of the same type is currently executing or a Set Password call is being made on a management agent of the same type. In Forefront Identity Manager Synchronization Service 2010, this error is returned by Lotus Notes management agents. |
ma-credentials-failure |
The management agent was unable to log on to the connected directory using the stored credentials. Verify that the management agent credentials are correct. For more information about configuring Active Directory Domain Services management agent credentials, see "Connect to an Active Directory Forest" in the Forefront Identity Manager Synchronization Service 2010 Help. For more information about configuring the credentials for the management agent for Sun ONE Directory Server 5.1 (formerly iPlanet Directory Server) and Netscape Directory Server 6.1, see "Specify logon information" in the Forefront Identity Manager Synchronization Service 2010 Help. |
ma-encryption-not-enabled |
The management agent did not set the password because 128-bit encryption is not configured on the connection that is used by the management agent to communicate with the connected directory. Enable this encryption on your network. |
ma-feature-not-supported |
The management agent does not support password changes. |
ma-object-type-not-supported |
The management agent does not support password changes on this object type. |
new-password-ill-formed |
The specified NewPassword parameter cannot be used as a password because the parameter contains characters that cannot be entered from a keyboard. Verify that the NewPassword parameter contains only characters that can be entered from a keyboard. |
new-password-violate-policy |
The specified NewPassword parameter does not comply with the password policy that was set by the administrator. Verify that the NewPassword parameter complies with the password policy that was set by the administrator. |
object-newly-provisioned |
The object was provisioned as a new object, but the object was not created in the connected directory. You cannot perform password operations until the object is exported to the connected directory. |
object-not-found |
The object was deleted from the server. |
password-sync-disabled |
The password synchronization setting for the specified management agent is not enabled. Enable password synchronization for the specified management agent. |
partition-not-configured |
The specified object is in a partition that is not configured. Configure the partition using Synchronization Service Manager. For more information about configuring an AD DS partition, see "Configure directory partitions" in the Forefront Identity Manager Synchronization Service 2010 Help. |
server-down |
The FIM Synchronization Service server could not connect to the server that contains the partition for the object. Verify that the server that contains the partition is running and is connected to the network. |
time-difference-at-dc |
The new password cannot be set because the time that is indicated on the FIM Synchronization Service server is more than five minutes from the time that is indicated on the AD DS server. By default, the time difference between servers must be less than or equal to five minutes. Synchronize the times between the servers. |
Remarks
This method works only with the following management agents:
Management agent for Active Directory Domain Services
Management agent for Active Directory Application Mode (ADAM)
Management agent for Active Directory global address list (GAL)
Management agent for Lotus Notes Release 4.6 or 5.0
Management agent for Novell eDirectory 8.62 or 8.7
Management agent for Windows NT 4.0
Management agent for Sun ONE Directory Server 4.1x and 5.x (formerly iPlanet Directory Server) and Netscape Directory Server 4.1 and 6.01
For the management agent for Active Directory Domain Services and the management agent for Active Directory GAL, the preferred domain controller is used to locate the server with the partition that contains the connector space object.
When you call the SetPassword method, an entry is written to the event log. The entry contains information about who made the request, the target of the request, and the status of the request.
Example
The following example shows how to use Microsoft Visual Basic Scripting Edition (VBScript) to set the password of the account Jeff in the main domain to NewPassword.
Option Explicit
on Error Resume Next
Dim Service
Dim CsObjects
Dim CsObject
Set Service = GetObject("winmgmts:root\MicrosoftIdentityIntegrationServer")
Set CsObjects = Service.ExecQuery("Select * from MIIS_CSObject where domain='main' and account='Jeff'")
For Each CsObject in CsObjects
WScript.Echo "SetPassword returns " & CsObject.SetPassword("NewPassword")
Next
Sub ErrorHandler (ErrorMessage)
WScript.Echo ErrorMessage
WScript.Quit(1)
End Sub
The following example shows how to use VBScript to set the password of the account Jeff in the main domain to NewPassword. It also forces the user to change the password at the next logon.
Option Explicit
on Error Resume Next
Dim Service
Dim CsObjects
Dim CsObject
Dim ForcePasswordChange
Dim UnlockAccount
Set Service = GetObject("winmgmts:root\MicrosoftIdentityIntegrationServer")
Set CsObjects = Service.ExecQuery("Select * from MIIS_CSObject where domain='main' and account='Jeff'")
' Force the user to change the password at next logon.
ForcePasswordChange = true
' Unlock the account in cases when the account was locked out.
UnlockAccount = true
For Each CsObject in CsObjects
WScript.Echo "SetPassword returns " & CsObject.SetPassword("NewPassword", ForcePasswordChange, UnlockAccount)
Next
Sub ErrorHandler (ErrorMessage)
WScript.Echo ErrorMessage
WScript.Quit(1)
End Sub
Requirements
Product |
Forefront Identity Manager Synchronization Service 2010 |
MOF |
Mmswmi.mof |