AD Change Password issue

[Sathya Gomathi via DotNetMonster.com]

Hi,

I trying to change password of an account in AD. This the code iam using

string adspath = "LDAP://SYST.ctc.edu/CN="+username+",OU=Users,OU=Seattle District (060 - SCCD),OU=Washington Colleges,DC=SYST,DC=ctc,DC=edu";
DirectoryEntry entry1 = new DirectoryEntry (adspath, @"domain\username", "PWD", AuthenticationTypes.Secure);

string OldPassword = "OLDPWD";
string NewPassword = "mynewsecre@t!#*";

object[] tt = new object[]{OldPassword, NewPassword};

try
{
entry1.Invoke( "ChangePassword" ,tt );
entry1.Properties["userAccountControl"].Value = 0x0200;
entry1.CommitChanges();
}
catch(Exception excp)
{
throw(excp);
}

I get this exception
"System.Runtime.InteropServices.COMException (0x800708C5): The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements."
}

--
Message posted via [url]http://www.dotnetmonster.com[/url]

[Joe Kaplan \(MVP - ADSI\)]

You need to make sure that the password you are changing to hasn't been used
recently and meets the policy requirements (try adding numbers too or
something).

Otherwise that should basically work. You might want to set
userAccountControl in a separate step too.

Joe K.

"Sathya Gomathi via DotNetMonster.com" <forum@DotNetMonster.com> wrote in
message news:e5f377760c5a4269889e40a3a4b20ccd@DotNetMonste r.com...

> Hi,
>
> I trying to change password of an account in AD. This the code iam using
>
> string adspath = "LDAP://SYST.ctc.edu/CN="+username+",OU=Users,OU=Seattle
> District (060 - SCCD),OU=Washington Colleges,DC=SYST,DC=ctc,DC=edu";
> DirectoryEntry entry1 = new DirectoryEntry (adspath, @"domain\username",
> "PWD", AuthenticationTypes.Secure);
>
> string OldPassword = "OLDPWD";
> string NewPassword = "mynewsecre@t!#*";
>
> object[] tt = new object[]{OldPassword, NewPassword};
>
> try
> {
> entry1.Invoke( "ChangePassword" ,tt );
> entry1.Properties["userAccountControl"].Value = 0x0200;
> entry1.CommitChanges();
> }
> catch(Exception excp)
> {
> throw(excp);
> }
>
> I get this exception
> "System.Runtime.InteropServices.COMException (0x800708C5): The password
> does not meet the password policy requirements. Check the minimum password
> length, password complexity and password history requirements."
> }
>
> --
> Message posted via [url]http://www.dotnetmonster.com[/url]

[Sathya Gomathi via DotNetMonster.com]

Hi Thanks..there was a minimum pwd age set on GPO..its working fine now..

i am running into another problem..the requirement is the option 'User must change pwd at first logon' needs to be set..and when the user login first time i must ask him to change his pwd through C#.
1. first problem i encountered was it doent even allow to connect error "bad user name and pwd"..

so here is the question " how do i check whether this option is set..and how do i disable this option so that the user can change his/her pwd.." all this i need to do from C#..and also i cant use admin credentials to connect to AD..

Thanks in advance

--
Message posted via [url]http://www.dotnetmonster.com[/url]

[Joe Kaplan \(MVP - ADSI\)]

You can't do this. If pwdLastSet is set to 1, the user will be in "change
password at next logon" mode, but via LDAP they cannot bind with their
credentials in that state. LDAP bind != Windows Logon. You need to use
Windows APIs to handle this.

If you could go in as a privileged account, you could set pwdLastSet to 0 to
get around that, but you said that wasn't an option.

I'm not exactly sure what APIs you can even use to do this though. One
thing you might want to look at is IIS 6 ships with some web pages for
managing user passwords that DO support this functionality. I haven't used
them, but I've heard such a thing exists.

Best of luck,

Joe K.

"Sathya Gomathi via DotNetMonster.com" <forum@DotNetMonster.com> wrote in
message news:330fe799458147ef8acfb578f5b1cb5a@DotNetMonste r.com...

> Hi Thanks..there was a minimum pwd age set on GPO..its working fine now..
>
> i am running into another problem..the requirement is the option 'User
> must change pwd at first logon' needs to be set..and when the user login
> first time i must ask him to change his pwd through C#.
> 1. first problem i encountered was it doent even allow to connect error
> "bad user name and pwd"..
>
> so here is the question " how do i check whether this option is set..and
> how do i disable this option so that the user can change his/her pwd.."
> all this i need to do from C#..and also i cant use admin credentials to
> connect to AD..
>
> Thanks in advance
>
> --
> Message posted via [url]http://www.dotnetmonster.com[/url]

[Sathya Gomathi via DotNetMonster.com]

Hi Joe,

Thanks for the immidiate response..one more help required..can you send me the code snippet in c# to get the property "PasswordLastChanged" and "pwdLastSet" for a user

Thanks

--
Message posted via [url]http://www.dotnetmonster.com[/url]

[Sathya Gomathi via DotNetMonster.com]

Joe,

I got the answer for my question..but it would be great of you can suggest me a way/logic to get whether the user logs in first time or not (if the 'user must change pwd in the next logon' is deselected).

Thanks
Sathya

--
Message posted via [url]http://www.dotnetmonster.com[/url]

[Joe Kaplan \(MVP - ADSI\)]

The logic is this:
pwdLastSet=0 -> user never has to change the password
pwdLastSet=1 -> user must change pwd at next logon
pwdLastSet=some large integer -> password was set at the time indicated what
this number as filetime is (DateTime.FromFileTime is cool for this in .NET)

If it is some large integer, it will expire based on the normal password
policy for the domain.

HTH,

Joe K.

"Sathya Gomathi via DotNetMonster.com" <forum@DotNetMonster.com> wrote in
message news:bada2415a5a54257bba482b9d35ef3f5@DotNetMonste r.com...

> Joe,
>
> I got the answer for my question..but it would be great of you can suggest
> me a way/logic to get whether the user logs in first time or not (if the
> 'user must change pwd in the next logon' is deselected).
>
> Thanks
> Sathya
>
> --
> Message posted via [url]http://www.dotnetmonster.com[/url]

[vasudha]

Hi sathya,
i'm also getting the same error, while trying to change the password in
activedirectory through C#. what do you mean by this? there was a
minimum pwd age set on GPO?
I appreciate

Thanks.

Sathya Gomathi via DotNetMonster.com wrote:

> *Hi Thanks..there was a minimum pwd age set on GPO..its working fine
> now..
>
> i am running into another problem..the requirement is the option
> 'User must change pwd at first logon' needs to be set..and when the
> user login first time i must ask him to change his pwd through C#.
> 1. first problem i encountered was it doent even allow to connect
> error "bad user name and pwd"..
>
> so here is the question " how do i check whether this option is
> set..and how do i disable this option so that the user can change
> his/her pwd.." all this i need to do from C#..and also i cant use
> admin credentials to connect to AD..
>
> Thanks in advance
>
> --
> Message posted via [url]http://www.dotnetmonster.com[/url] *

--
vasudha
------------------------------------------------------------------------
Posted via [url]http://www.codecomments.com[/url]
------------------------------------------------------------------------

[Joe Kaplan \(MVP - ADSI\)]

You can check to see if you have a minimum pwd age on your domain by bindng
to the defaultNamingContext object (the domainDNS root for the domain) and
checking the minPwdAge attribute. If it is non-zero, you have a minimum pwd
age.

Joe K.

"vasudha" <vasudha.1o8sht@mail.codecomments.com> wrote in message
news:vasudha.1o8sht@mail.codecomments.com...

>
> Hi sathya,
> i'm also getting the same error, while trying to change the password in
> activedirectory through C#. what do you mean by this? there was a
> minimum pwd age set on GPO?
> I appreciate
>
> Thanks.
>
> Sathya Gomathi via DotNetMonster.com wrote:

>> *Hi Thanks..there was a minimum pwd age set on GPO..its working fine
>> now..
>>
>> i am running into another problem..the requirement is the option
>> 'User must change pwd at first logon' needs to be set..and when the
>> user login first time i must ask him to change his pwd through C#.
>> 1. first problem i encountered was it doent even allow to connect
>> error "bad user name and pwd"..
>>
>> so here is the question " how do i check whether this option is
>> set..and how do i disable this option so that the user can change
>> his/her pwd.." all this i need to do from C#..and also i cant use
>> admin credentials to connect to AD..
>>
>> Thanks in advance
>>
>> --
>> Message posted via [url]http://www.dotnetmonster.com[/url] *

>
>
>
> --
> vasudha
> ------------------------------------------------------------------------
> Posted via [url]http://www.codecomments.com[/url]
> ------------------------------------------------------------------------
>