Managing User Passwords

  • Article

This topic includes information and code examples for managing user passwords.

[C#]

The following code example shows how to set the user password by invoking the IADsUser::SetPassword method.

usr.Invoke("SetPassword", new object[]{SecurelyStoredPassword});

[C#]

The following code example shows how to change the user password by invoking the IADsUser::ChangePassword method.

usr.Invoke("ChangePassword",new object[]{OldSecurelyStoredPassword, NewSecurelyStoredPassword});

[C#]

The following code example shows how to set the user password so that it must be changed at the next logon. It sets the pwdLastSet property to off (-1).

usr.Properties["pwdLastSet"].Value = -1; // To turn on, set this value to 0.
usr.CommitChanges();

The following code example shows a function that sets an ACE to deny a password change. It uses COM Interop to access the IADsSecurityDescriptor to get the ntSecurityDescriptor property. It then uses the IADsAccessControlList to get the DACL from the security descriptor and IADsAccessControlEntry to get the AceType, AceFlags, Trustee, Flags, ObjectType, and AccessMask properties. The AceType flags are defined in ADS_ACETYPE_ENUM. The AceFlags are defined in the ADS_FLAGTYPE_ENUM. AccessMask flags are defined in the ADS_RIGHTS_ENUM.

[Visual Basic .NET]

Imports System
Imports System.DirectoryServices
Imports ActiveDs
...
Shared Sub DenyChangePassword(User As DirectoryEntry)
      Const PASSWORD_GUID As String = "{ab721a53-1e2f-11d0-9819-00aa0040529b}"
      Const ADS_UF_ACCOUNTDISABLE As Integer = 2
      Const ADS_UF_PASSWORD_EXPIRED As Integer = &H800000
      Const ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION As Integer = &H1000000
      
      
      Dim trustees() As String = {"NT AUTHORITY\SELF", "EVERYONE"}
      
      Dim sd As ActiveDs.IADsSecurityDescriptor = CType(User.Properties("ntSecurityDescriptor").Value, 
          ActiveDs.IADsSecurityDescriptor)
      Dim acl As ActiveDs.IADsAccessControlList = CType(sd.DiscretionaryAcl, 
          ActiveDs.IADsAccessControlList)
      Dim ace As New ActiveDs.AccessControlEntry()
      
      Dim trustee As String
      For Each trustee In  trustees
         ace.Trustee = trustee
         ace.AceFlags = 0
         ace.AceType = Fix(ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_DENIED_OBJECT)
         ace.Flags = Fix(ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_OBJECT_TYPE_PRESENT)
         ace.ObjectType = PASSWORD_GUID
         ace.AccessMask = Fix(ActiveDs.ADS_RIGHTS_ENUM.ADS_RIGHT_DS_CONTROL_ACCESS)
         acl.AddAce(ace)
      Next trustee
      sd.DiscretionaryAcl = acl
      User.Properties("ntSecurityDescriptor").Value = sd
      User.CommitChanges()
   End Sub 'DenyChangePassword

[C#]

using System;
using System.DirectoryServices;
using ActiveDs;
...
static void DenyChangePassword(DirectoryEntry User)
{
     const string PASSWORD_GUID = "{ab721a53-1e2f-11d0-9819-00aa0040529b}";
     const int ADS_UF_ACCOUNTDISABLE=2;
     const int ADS_UF_PASSWORD_EXPIRED=0x800000;
     const int ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION=0x1000000;
								
     string[] trustees = new string[]{@"NT AUTHORITY\SELF","EVERYONE"};
				
     ActiveDs.IADsSecurityDescriptor sd = (ActiveDs.IADsSecurityDescriptor)
        User.Properties["ntSecurityDescriptor"].Value;
     ActiveDs.IADsAccessControlList acl = (ActiveDs.IADsAccessControlList) sd.DiscretionaryAcl;
     ActiveDs.IADsAccessControlEntry ace = new ActiveDs.AccessControlEntry();	

     foreach(string trustee in trustees)
     {
          ace.Trustee = trustee;
          ace.AceFlags = 0;
          ace.AceType = (int)ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_DENIED_OBJECT;
	          ace.Flags = (int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_OBJECT_TYPE_PRESENT;
          ace.ObjectType = PASSWORD_GUID;
          ace.AccessMask = (int)ActiveDs.ADS_RIGHTS_ENUM.ADS_RIGHT_DS_CONTROL_ACCESS;
          acl.AddAce(ace);
     }
     sd.DiscretionaryAcl = acl;
     User.Properties["ntSecurityDescriptor"].Value = sd;
     User.CommitChanges();
}

The following code example shows how to set the password to never expire. It uses the Properties method to access the userAccountControl property to set the ADS_UF_DONT_EXPIRE_PASSWD flag defined in the ADS_USER_FLAG_ENUM.

[Visual Basic .NET]

 Shared Sub DontExpirePassword(User As DirectoryEntry)
 Dim val As Integer
 Const ADS_UF_DONT_EXPIRE_PASSWD As Integer = &H10000
 val = Fix(User.Properties("userAccountControl").Value)
 User.Properties("userAccountControl").Value = val Or ADS_UF_DONT_EXPIRE_PASSWD
 User.CommitChanges()
 End Sub 'DontExpirePassword

[C#]

using System;
using System.DirectoryServices;
using ActiveDs;
...
static void DontExpirePassword(DirectoryEntry User)
{
     int val;
     const int ADS_UF_DONT_EXPIRE_PASSWD =0x10000;
     val = (int) User.Properties["userAccountControl"].Value;
     User.Properties["userAccountControl"].Value = val | 
     ADS_UF_DONT_EXPIRE_PASSWD;
     User.CommitChanges();
}