Detecting a changed password

Question

Is there a way to detect that the current login credentials are invalid or out of date?

I am working in an environment where users are asked to use an internal website to change their password rather than using CTRL-ALT-DEL => Change Password. This is to ensure that their passwords are consistent in Active Directory and in our Unix and mainframe environments.

I am working on an application that does not behave correctly when the user has changed their password using this web site but they haven't logged off and back on (or locked and unlocked the workstation). I need to detect that their password has changed and instruct them to re-log to refresh their credentials.

I'm hoping that there is some direct API that will allow me to detect this condition categorically, instead of a "try this, and if it fails..." approach. I doubt this will be a managed API, but I am open to using Win32 directly. I'm no stranger to such things.

Thanks!

Answer 1

Why don't you try to make a log when user change his pass?
You can store in some database or txt file your current password and create a code which will check if there is some change in the log.

Answer 2

Thanks for the response.

I work in a large worldwide firm and don't have access to the password change system. However, what you're suggesting is available in LDAP/AD anyway. There is a pwd_last_set LDAP attribute that I can query. However, I was hoping for a simpler solution that doesn't require an external connection. I was hoping that the desktop session gets notified in some way when the password changes through an external means, and that there would be some simple API that I could call.

Answer 3

This is the only thing that is on my mind. I hope that it will help you :)

Answer 4

Hi Neuroboy77,

I temporarily mark TonchiVZ's reply as an answer. You can unmark it if they provide no help.

---

Bob Shen [MSFT]
MSDN Community Support | Feedback to us

Answer 5

Bob:

Please rethink your decision to mark TonchiVZ's response as an answer. NeuroBoy77 did say: "I work in a large worldwide firm and don't have access to the password change system. " and the suggestion "You can store in some database or txt file your current password" would be a huge security hole.

---

"Premature optimization is the root of all evil." - Knuth

If I provoked thought, please click the green arrow

If I provoked Aha! please click Propose as Answer

Answer 6

Hi,

Currently there is no way to know from desktop session, because after user logon then Windows will use cached credential (http://technet.microsoft.com/en-us/library/hh994565%28v=ws.10%29.aspx)

So currently the best way is either you make connection to AD/LDAP and query the attribute or make "try catch" for handle failure.

---

Regards,
Christian HL
Microsoft Online Community Support


Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.