4006 Error when changing password through SSPR

  • 7015755
  • 10-Oct-2014
  • 18-Sep-2015


Self Service Password Reset
SSPR 3.x


4006 error when SSPR attempts to change the AD password
SSPR error log shows:   4006 PASSWORD_BADPASSWORD (error setting password for user ... ) 
Log shows additional errors:
- and from AD:   0: 0000052D: DSID-03190F80, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd)


Use a password that complies with AD password policies.
Make sure the new password is acceptable by attempting to change the password outside of SSPR, for example, through an LDAP browser. 

Note:   Using an LDAP browser would be a more accurate test (i.e. provide a closer comparison) than would changing the password through Active Directory Users and Computers.

Additional Information

These errors indicate that the attribute value we are attempting to write (i.e. the new password) violates constraints placed on the attribute by AD.  Unfortunately, AD has no detailed error codes for errors setting passwords, just this one error, and it is not very clear.   It can be caused by any of the following: 
1) a time violation (too soon because of ad pw policy)
2) some AD pw policy violation - too short, or otherwise doesn't meet AD complexity
3) server hasn't been rebooted recently (domain controllers)
4) password history violation

Also related to this error it is important to understand that SSPR can't read all the AD password policies.  Most importantly, it cant read GPO policies.  SSPR can only read whats called  'fine grained' password policies from AD.  So even though SSPR says a password meets the policy there maybe something it can't see.