3.3.5.2.2 Normative Specification
On receiving this message, the responder SHOULD<11> return STATUS_NOT_SUPPORTED if either the responder is not the PDC or the requestor is an RODC. Otherwise, the responder MUST process the data from the message subject to all of the following constraints. All of the following actions MUST be performed in the same transaction:
The responder SHOULD validate the integrity of the message with respect to embedded offsets and sizes. Responder implementations SHOULD return STATUS_INVALID_PARAMETER upon receiving malformed messages.<12>
If no bits are set in Message.PasswordUpdate.Flags, no action MUST be performed, and the responder MUST return STATUS_INVALID_PARAMETER to the requestor. If bits are set in Message.PasswordUpdateFlags that MUST be 0 (as specified in section 2.2.2), STATUS_REVISION_MISMATCH MUST be returned.
The responder SHOULD return STATUS_SUCCESS to the requestor, and, as a background operation, SHOULD<13> perform a "replicateSingleObject" operation with the DN of the DSA object of the requestor DC, and the DN of the object that has an objectSid attribute value that corresponds to the value constructed by concatenating the Message.PasswordUpdate.Rid field with the configured domain SID.<14> This operation is specified in [MS-ADTS] section 3.1.1.3.3.18.
If no errors occur during the message processing, the responder MUST return STATUS_SUCCESS; otherwise, the responder MUST return an error code, as specified in section 2.2.9.
If the background operation fails for any reason, the responder MUST perform the following tasks in the background.
If the FLAG_NT_HASH flag is present in Message.PasswordUpdate.Flags, the responder MUST perform all of the following operations on the target object in the database.
Update the unicodePwd attribute with the data value supplied in Message.PasswordUpdate.Data, as specified by the fourth array element in Message.PasswordUpdate.OffsetLengthArray.
If the FLAG_LM_HASH flag is present in Message.PasswordUpdate.Flags, update the dbcsPwd attribute with the data value supplied in Message.PasswordUpdate.Data, as specified by the third array element in Message.PasswordUpdate.OffsetLengthArray.
Update the pwdLastSet attribute to the current time.
If the FLAG_ACCOUNT_UNLOCKED flag is present in Message.PasswordUpdate.Flags, the responder MUST update the lockoutTime attribute of the target object in the database to 0.
If the FLAG_MANUAL_PWD_EXPIRY or FLAG_NT_HASH flag is present in Message.PasswordUpdate.Flags, and if Message.PasswordUpdate.PasswordExp is nonzero, the responder MUST update the pwdLastSet attribute of the target object in the database to 0.
All updates MUST occur as originating updates.
All errors MUST be ignored.