oracle.iam.connectors.icfcommon.prov.ICProvisioningManager : doUpdate : Error while updating user[[ javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 0000052D: SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0]; remaining name 'CN=Test3 User3,CN=Users,DC=Domain,DC=com'

Issue: 

Password Update operation failing in Active Directory or AD with below exception even if operation performing by Admin User:

oracle.iam.connectors.icfcommon.prov.ICProvisioningManager : doUpdate : Error while updating user[[

javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 0000052D: SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0]; remaining name 'CN=Test3 User3,CN=Users,DC=Domain,DC=com'

                at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3140)

                at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3013)

                at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2820)

                at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1458)

                at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:255)

                at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:172)

                at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:161)

                at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:148)

Debugging:

Check oim_server1-digaonistic.log, under oim_server1/logs to find the cause of password update operation failure in AD.

Cause:

Trying to update password not matched all the conditions as per password policy.

Solution:

Many time we thought, we are giving password having all the conditions matched present in password policy. But in Active Directory Password Policy, there is one condition Minimum password age [which might confused you just like me :)] it means once changed the password of user, we can't change password of him/her again until number of days provided as a value of it.

In below AD Password Policy Minimum password age is 1 day, so once changed the password of user, we can't change password for next 24 hours otherwise same exception will through.

Notes :

• Value of condition Minimum password age may vary from customer to customer. In development phase, I will suggest to keep it 0. 
• To view Password policy conditions Logon to Domain Controller having AD installed with Administrator and go to Start-->Administrative Tools-->Local Security Policy-->Account Settings-->Password Policy.
• To change Password policy conditions need to disable it, then only one can change.