Problem: Password Reset Fails for Locked Users with AD Connector in UCS@School

Knowledge Base Community
, , ,
1

Password Reset Fails for Locked Users with AD Connector in UCS@School

Problem:

In environments using the UCS AD Connector together with the UCS@School module, password changes and resets may fail for user accounts that are locked in Active Directory.

If a user account is locked in AD due to multiple failed login attempts (account lockout, not account disablement), this state is synchronized to UCS via the AD Connector.

When a teacher attempts to reset the affected user’s password using the UMC module “Student Passwords”, the following error occurs:

The password reset failed for the following users

  • Mustermann, Max (muster.max)
    permission denied

The same error (“Permission denied”) is shown when the user attempts to change their password via the Univention Portal.

Password changes are only possible after the user account has been explicitly unlocked.

Environment

  • Univention Corporate Server (UCS)
  • UCS@School
  • Active Directory Connector
  • Microsoft Active Directory with account lockout policy enabled

Root Cause

Password change and reset operations are currently not supported for user objects that are in a locked (lockout) state.

This is a known issue in UCS and is documented in the Univention bug tracker:

The issue is not caused by the AD Connector itself, but by the handling of password changes for locked user objects. The lockout flag is not properly considered during password change or reset operations, which leads to a permission error.

Solution:

At the time of writing, no permanent fix is available. Please monitor the referenced bug report for updates and an official solution in a future UCS release.

Workaround

One of the following workarounds can be applied:

  1. Unlock the user account
    Explicitly unlock the affected user account before attempting to change or reset the password.

  2. Disable automatic account lockout
    If not strictly required by security policies, disable the automatic account lockout functionality in Active Directory.
    As long as user objects are not locked, password changes and resets work as expected via:

    • UMC (Student Passwords module)
    • Univention Portal (self-service password change)