Directory and Resource Administrator 6.50
Directory and Resource Administrator 6.60
Directory and Resource Administrator 7.x
Error: 'Cannot set user's password. Access is denied.' occurs when creating user accounts or resetting user passwords in Directory and Resource Administrator (DRA).
Unable to reset user account password in Directory and Resource Administrator (DRA).
The issue is due to a problem using ADSI SetPassword when setting the user password, both during account creation and when resetting an existing user's password. ADSI's LDAP provider uses the Kerberos library to reset the user's password, and the call made into Kerberos does not take the server name as a parameter, but rather only the domain name. Depending on what is found in the Kerberos binding cache, the password could actually be set on a different domain controller (DC) than what ADSI is connected to.
Microsoft has confirmed this to be a problem in Microsoft Windows 2000 SP2 and earlier. To resolve this issue, install Service Pack 3 for Microsoft Windows 2000 on the Directory and Resource Administrator (DRA) server(s). For more information, please see the Microsoft Knowledge Base article below:
- Q292573: ADSI SetPassword Call Does Not Always Set the Password on Target DC
An alternative fix is to configure DRA to write all changes to a specific domain controller. For more information on how to configure this option, please refer to the NetIQ Knowledge Base article below:
- NETIQKB1885: How do I configure the Directory and Resource Administrator server to write all changes to a specific domain controller?
As stated NETIQKB1885, a Domain Cache Refresh must be performed after setting the preferred DC.