3.4.5.2.7 Calling NetrServerPasswordSet

The client MUST do the following:

Have a secure channel established with a DC in the domain identified by domain-name and pass its name as the PrimaryName parameter.
Pass the encrypted new password:
1. Compute the NTOWFv1 ([MS-NLMP] section 3.3.1) of the new password.
2. Encrypt ([MS-SAMR] section 2.2.11.1.1) the result of step 1 using the Session-Key for the secure channel as the specified key.
3. Pass the result of step 2 as the UasNewPassword parameter.
Pass a valid client Netlogon authenticator as the Authenticator parameter.

After the method returns, the client MUST verify the ReturnAuthenticator, as defined in section 3.1.4.5.

On receiving STATUS_ACCESS_DENIED, the client SHOULD <102> re-establish the secure channel with the domain controller.

Additional resources