Change an Active Directory password

Question

At first, please forgive my English, it is not my mother tongue.

I'm working on a web platform that manages Active Directory. I can create, delete and edit a group, user, OU, and so on.

When a connected user wants to change his own password with the platform, it fails.

It comes from DirectoryEntry.Invoke.

I used the DirectoryServices.DirectoryEntry:

directoryEntry.Invoke("SetPassword", password);
directoryEntry.Commit();

So I tried System.DirectoryServices.AccountManagement:

PrincipalContext ctx = new PrincipalContext(ContextType.Machine);
UserPrincipal user = UserPrincipal.FindByIdentity(ctx, Username);
user.SetPassword(password_);
user.Save();

Different way, same problem.

It only fails when a user tries to edit his own password.

Any help would be grateful.

score 2 · Answer 1 · answered Jan 21 '14 at 08:38

Try this code. It works for me,

public void ChangeMyPassword(string domainName, string userName, string currentPassword, string newPassword)
{
    try
    {
        string ldapPath = "LDAP://192.168.1.xx";
        DirectoryEntry directionEntry = new DirectoryEntry(ldapPath, domainName + "\\" + userName, currentPassword);
        if (directionEntry != null)

        {
            DirectorySearcher search = new DirectorySearcher(directionEntry);
            search.Filter = "(SAMAccountName=" + userName + ")";
            SearchResult result = search.FindOne();
            if (result != null)
            {
                DirectoryEntry userEntry = result.GetDirectoryEntry();
                if (userEntry != null)
                {
                    userEntry.Invoke("ChangePassword", new object[] { currentPassword, newPassword });
                    userEntry.CommitChanges();
                }
            }
        }
    }
    catch (Exception ex)
    {
        throw ex;
    }
}

Wow worked for me too first try! – TruMan1 Aug 28 '15 at 20:04 — TruMan1, Aug 28 '15 at 20:04

score 1 · Accepted Answer · answered Oct 06 '11 at 15:41

1

As Paolo notes, you can't call Reset Password without extra privileges. To call ChangePassword, you need to supply the previous password like this:

directoryEntry.Invoke("ChangePassword", oldPassword, newPassword); 
directoryEntry.Commit();

answered Oct 06 '11 at 15:41

Brian Desmond

4,473
1
13
11

I've tried this code when Paolo suggest it, and the result is the same: .Invoke issue. And and I use the DirectoryServices.AccountManagement, the error says that I have to check password policies (length, complexity, etc). And I have disabled them. So, the issue could be with ACE and the permission of changing his own password by programming. – Nate B. Oct 07 '11 at 06:43
I've tried to edit the ACE, using SecurityDescriptor, AccessControlList and so on and it fails. It happens often with it: "The security ID structure is invalid". I tried with PrincipalContext and its method UserCannotChangePassword = false, explained here (http://stackoverflow.com/questions/1761312/active-directory-properties) or here (http://msdn.microsoft.com/en-us/library/windows/desktop/aa746398%28v=vs.85%29.aspx) but it seems to be useless. – Nate B. Oct 10 '11 at 09:27
The occured error is the same than here : http://stackoverflow.com/questions/5946150/security-id-structure-invalid-getting-this-error-when-setting-the-new-securityd but the solution does not work for me . – Nate B. Oct 10 '11 at 09:30

score 0 · Answer 3 · edited Dec 11 '13 at 16:45

0

Change Password requires user's old password to set new password and Reset password permission requires to the person who resets the password.With AD's default permissions, only Administrators and Account Operators can reset passwords.

edited Dec 11 '13 at 16:45

Brad Larson

170,088
45
397
571

answered Aug 03 '13 at 11:59

Kevin M

5,436
4
44
46

score 0 · Answer 4 · answered Oct 06 '11 at 12:08

0

This is a Windows restriction: a user cannot reset his own password, i.e. change the password without providing the old one.

You can only change your own password, i.e. provide old password and new password.
Try using the ChangePassword method instead.

answered Oct 06 '11 at 12:08

Paolo Tedesco

55,237
33
144
193

Thanks for your reply. I tried your solution, and it fails. When using DirectoryEntry, it results the same .Invoke issue. And when I use the PrincipalContext way, the error says that I have to check password policies (length, complexity, etc). And I have disabled them. O.o – Nate B. Oct 06 '11 at 13:28

Change an Active Directory password

4 Answers4