By default Active Directory doesn't allow to do password operations such as password updates or user creating with passwords over an LDAP connection, it requires an LDAPS connection. How can I disable this policy? I can ensure the connection between my client and the AD is secure, so I do not need SSL encryption.
Open a command line (Start → Run → cmd) and type the following commands:
dsmgmtds behaviorconnectionsconnect to server localhostquitallow passwd op on unsecured connectionlist current ds-behaviorquitquit
The whole thing should look like this (empty lines added for readability)
C:\Windows\system32>dsmgmt
dsmgmt: ds behavior
AD DS/LDS behavior: connections
server connections: connect to server localhost
Binding to localhost ...
Connected to localhost using credentials of locally logged on user.
server connections: quit
AD DS/LDS behavior: allow passwd op on unsecured connection
Successfully modified DS Behavior to reset password over unsecured network.
AD DS/LDS behavior: list current ds-behavior
Password operations on unsecured connection: Allowed.
AD DS/LDS behavior: quit
dsmgmt: quit
To undo the change, open dsmgmt again and follow the steps. Instead of allow, use deny passwd op on unsecured connection.
Source: http://www.forumeasy.com/forums/thread.jsp?tid=135602313860&fid=ldapprof9
来源:https://stackoverflow.com/questions/16861664/how-to-disable-password-operations-over-ldaps-only-policy-in-active-directory