Getting an error:

Server is unwilling to perform

while changing unicodePwd in AD through PHP. However, I'm able to search, add, remove and modify any attributes of the users.

Using Administrator account to bind and admin has full rights to change passwords of any users.

Here's the code I'm using:

<?php
$dn = "CN=Vishal Makwana,OU=Address Book,DC=example,DC=com";
$ad = ldap_connect("ldap://example.com")
      or die("Couldn't connect to AD!");
ldap_set_option($ad, LDAP_OPT_PROTOCOL_VERSION, 3);
$bd = ldap_bind($ad,"[email protected]","admin1");

    if($bd) {
        echo "AD bind successfully";  
      }
    else {
        echo "Couldn't bind AD";;
    }

$user["unicodePwd"] = "asdf1234";

$result = ldap_mod_replace($ad, $dn, $user);
if ($result) echo "User modified!"; else
             echo "There was a problem!";

ldap_unbind($ad);
?>

There are a number of things you need to get exactly right to set a password in AD via LDAP.

• you need to use an SSL connection (ldaps://)

• the password needs to be enclosed in quotes

• the (quoted) password needs to be encoded in 16-bit unicode (UTF-16LE)

Assuming the password you're trying to set is ordinary ascii characters, the unicode conversion can be accomplished by adding a \000 byte after each byte of the ascii string, as shown in this code sample.

So your example would instead look like:

$newpassword = "asdf1234";
$newpassword = "\"" . $newpassword . "\"";
$len = strlen($newpassword);
for ($i = 0; $i < $len; $i++) $newpass .= "{$newpassword{$i}}\000";
$user["unicodePwd"] = $newpass;

After searching a lot and spending a lot of time, I am finally able to modify the active directory user password from PHP code using LDAP library.

We need the LDAP's connection with the active directory server from the PHP code; and that you have to modify the unicodePwd field.

ldap_connect(ldaps://IP, 636);
ldap_connect(ldaps://IP, 389);