When invoking the "SetPassword" to the AD User

Question

I have experienced the following

when invoking the "SetPassword" function using the below code

dEntry.Invoke("SetPassword", new object[] { newPassword });

then it is not checking the Password History and Age.

Is there any msdn Link which documented this?

Thanks in Advance,

Rahul R

Answer 1

Hi Rahul R,

can you please provide some more information? In your post you provide very less information to understand. you can post some small example or some error message also. It will help us to understand and resolved your problem.

For now please see below MSDN Article on how to invoke a method using reflection.

http://msdn.microsoft.com/en-us/library/a89hcwhh(v=vs.90).aspx

may be it helps you.

If anything is unclear feel free to ask me... :)

Thanks,

Nans11

---

ENjoy ThE WorLD Of COdE

Answer 2

I am using the Below code to set the password of an Active Directory User.

I have enabled Enforce Password History in the Policy Settings of Active Directory.But when using the below code i am not getting any exception if i set the new password with the value sama as my old password.Is this the default working?

Let me know if you need more information

void ChangePassword(string password,string loginID)
        {         

            string ldapUserName = "ADusername";
            string ldapPassword = "ADpassword";
            string ldapdomainPathWithSearchBase = "LDAP://ADURL";

            const long ADS_OPTION_PASSWORD_PORTNUMBER = 6;
            const int ADS_OPTION_PASSWORD_METHOD = 7;
            const int ADS_PASSWORD_ENCODE_CLEAR = 1;

            AuthenticationTypes AuthTypes = AuthenticationTypes.Signing |
                AuthenticationTypes.Sealing |
                AuthenticationTypes.Secure;


            using (DirectoryEntry objDE = new DirectoryEntry(ldapdomainPathWithSearchBase, ldapUserName, ldapPassword))
            {
                objDE.AuthenticationType = AuthTypes;
                using (DirectorySearcher searcher = new DirectorySearcher(objDE))
                {
                    searcher.Filter = "(&(objectClass=person)(cn=" + loginID + "))";
                    searcher.SearchScope = System.DirectoryServices.SearchScope.Subtree;
                    SearchResult result = searcher.FindOne();

                    using (DirectoryEntry dEntry = result.GetDirectoryEntry())
                    {
                        try
                        {
                           dEntry.Invoke("SetOption", new object[] {ADS_OPTION_PASSWORD_METHOD, ADS_PASSWORD_ENCODE_CLEAR});
                            dEntry.Invoke("SetPassword", new object[] {password});
                            dEntry.Properties["LockOutTime"].Value = 0;
                            dEntry.CommitChanges();
                        }
                        catch (Exception ex)
                        {
                        }
                    }
                }
            }
        }

Thanks in Advance,

Rahul R

Answer 3

Hi Rahul,

As TravisQuerec says in this thread 

DirectoryEntry adEntry = new DirectoryEntry("LDAP://mydomain");
        DirectoryEntry userEntry = adEntry.Children.Add("CN=BobUser", "User"}
        userEntry.Properties["Description"].Add("User Description");
        userEntry.CommitChanges();
        userEntry.Invoke("SetPassword

For more information you can check below thread also,

http://social.msdn.microsoft.com/Forums/en/csharpgeneral/thread/1827534a-f779-4a3e-8a8a-c76ccf1312b3

http://social.msdn.microsoft.com/Forums/en-US/csharpgeneral/thread/dbe9a019-b078-4d8c-a2e0-06c765458907

may be it helps you.

If anything is unclear feel free to ask me... :)

Thanks,

Nans11

---

ENjoy ThE WorLD Of COdE

Answer 4

Hi Nans11,

your links were helpful. My doubt is Why the command "dEntry.Invoke("SetPassword", new object[] {password});" is not checking the password History requirements?

Answer 5

Hi Rahul,

As per my knowledge password history requirement are dependent on your LDAP server.some LDAP server provides password history configuration. If your server provides that functinality then and then you get some error codes for password.

Please see below openLDAP(one of the popular LDAP server) password policy overlay article

http://www.zytrax.com/books/ldap/ch6/ppolicy.html

may be it helps you.

If anything is unclear feel free to ask me... :)

Thanks,

Nans11

---

ENjoy ThE WorLD Of COdE

Answer 6

I am using Windows Active Directory

Answer 7

Hi Rahul,

SetPassword method does not enforce password history, as you are doing an administrative password reset. If you want password history enforced, you have to do a normal password change using changepassword method. ChangePassword method requires knowledge of the previous passwords.

For more information, please read below technet forum article

http://social.technet.microsoft.com/Forums/da/winserverDS/thread/2616b0b6-e244-4bdb-90e8-ab2308fa74ff

may be it helps you.

If anything is unclear feel free to ask me... :)

Thanks,

Nans11

---

ENjoy ThE WorLD Of COdE

Answer 8

How would you suggest handling a self service forgot password.  In this case, we are letting the user change their password (and validating identity through other means), but since they have forgotten it, we cant use ChangePassword.  We are forced to use SetPassword, but the password policy should still apply (including history and age).

Answer 9

How would you suggest handling a self service forgot password.  In this case, we are letting the user change their password (and validating identity through other means), but since they have forgotten it, we cant use ChangePassword.  We are forced to use SetPassword, but the password policy should still apply (including history and age).

I have the same question. We are validating them though other means and want to set their password, without knowing their current password but enforce the current Password Policies.  I was thinking of using SetPassword with a temporary password and then use ChangePassword using the temporary password, but the Password Policy is set to disallow changes within two days.