Java program to change Active Directory user password (over SSL)?

Note, that to change Active Directory user password, connection must be made over SSL.

To enable SSL on Active Directory, and get hold of ssl certificate,  see instructions for that here.

The program:

import javax.naming.*;
import javax.naming.ldap.*;
import java.util.*;

public class ADPasswdChange {
DirContext ldapContext;
String baseName = ",CN=Users,DC=mydomain,DC=local";
String serverIP = "localhost";

public ADPasswdChange() {

try {
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.SECURITY_AUTHENTICATION, "Simple");
//NOTE: Replace the user and password in next two lines, this user should have privileges to change password.
//NOTE: This is NOT the user whose password is being changed.
env.put(Context.SECURITY_PRINCIPAL, "powerfuluser@mydomain.local");
env.put(Context.SECURITY_CREDENTIALS, "whateverpassword");
//NOTE: Replace localhost in next line with actual ldap host:
env.put(Context.PROVIDER_URL, "ldap://localhost:636");
env.put(Context.SECURITY_PROTOCOL, "ssl");
ldapContext = new InitialLdapContext(env, null);

catch (Exception e) {
System.out.println(" bind error: " + e);

public void updatePassword(String username, String password) {
try {

String quotedPassword = "\"" + password + "\"";
char unicodePwd[] = quotedPassword.toCharArray();
byte pwdArray[] = new byte[unicodePwd.length * 2];
for (int i=0; i<unicodePwd.length; i++) {
pwdArray[i*2 + 1] = (byte) (unicodePwd[i] >>> 8);
pwdArray[i*2 + 0] = (byte) (unicodePwd[i] & 0xff);

ModificationItem[] mods = new ModificationItem[1];
mods[0] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE,
new BasicAttribute("UnicodePwd", pwdArray));

ldapContext.modifyAttributes("CN=" + username + baseName, mods);

catch (Exception e) {
System.out.println("update password error: " + e);

public static void main(String[] args) {
// the keystore that holds trusted root certificates
//NOTE: Replace with path to ssl certificate keystore file below.
System.setProperty("", "C:/mydir/keystore.jks");
//NOTE: Replace with keystore password that was used while converting .cer to .jks file.
System.setProperty("", "thekeypasswd");
System.setProperty("", "all");
ADPasswdChange adc = new ADPasswdChange();
//NOTE: Replace below with username whose password has to be changed and the desired password.
adc.updatePassword("user1", "change$2pass");

The above program is a slightly modified version of the one mentioned here:


One response

  1. can ad password be changed by a admin without ssl through java??

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: