UserPrincipal.SetPassword(password) not checking password history requirements policy

Question

User-147917929 posted

Hi I am working with Windows On-Prem AD and using classes from System.DirectoryServices.AccountManagement library

having difficulties while Reset the password. I applied 12 password history check in Policy and its works for 
UserPrincipal.ChangePassword(oldpass, newpass) but not for

UserPrincipal.SetPassword(pass)

Any help would be greatly appreciated

Answer 1

User753101303 posted

Hi,

IMO ChangePassword is itntended for users, the old password needs to be known and is subject to password history. SetPassword is itntended for an admin, doesn't need to know the old password and it seems to not enforcing passwordcould make sense here.

Edit: a search for oher posts shows this the behavior seen by others even if it is not described in the low level win32 documentatiion.

Edit 2:  maybe a safety measure. In a higly securre environment it might allow for a support person to know the password (ieif entering by chance the last user password and being blocked). Try perhaps a Windows admin security forum to see if someone knows why exactly.

Answer 2

User-147917929 posted

Agree PatriceSc but here we need to provide ForgotPassword flow to the end user where user himself can set the password. We have multiple apps with thousands of users so can't manage their password history application side (for security purpose) also. 

Answer 3

User753101303 posted

Hi,

And you already have the usual process in place where the user MUST provide the old password to enter his new password? Does it happen often that a user can't provide its old password?

For the "reset" option, another option icould be perhaps to use SetPassword with a temp password and then ChangePassword again. Or to use the "force user to change passowrd on next logon". Not sure how it plays with polciy like preventing to change the user password twice in a row...

Check maybe a Windows admin forum or support for https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr#test-self-service-password-reset but IMO password reset (rather than change) won't honor the password history. If done yourself make sure  it is well protected. Apparently SSPR requires a phone number or a mail to likely enter a verification code before proceeding.

Answer 4

User-147917929 posted

For the "reset" option, another option icould be perhaps to use SetPassword with a temp password and then ChangePassword again. Or to use the "force user to change passowrd on next logon". Not sure how it plays with polciy like preventing to change the user password twice in a row...

We thought about this process but it will unnecessarily increase password history. and real passwords will be pushed out of top 12.