ActiveDirectoryMembershipProvider.ResetPassword(String, String) Method
Definition
Important
Some information relates to prerelease product that may be substantially modified before it’s released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Resets a user's password to a new, automatically generated password.
public:
override System::String ^ ResetPassword(System::String ^ username, System::String ^ passwordAnswer);
public override string ResetPassword (string username, string passwordAnswer);
override this.ResetPassword : string * string -> string
Public Overrides Function ResetPassword (username As String, passwordAnswer As String) As String
Parameters
- username
- String
The user to reset the password for.
- passwordAnswer
- String
The password answer for the specified user.
Returns
The new password for the specified user.
Exceptions
The ResetPassword(String, String) method is called before the ActiveDirectoryMembershipProvider instance is initialized.
The EnablePasswordReset property value is false
.
passwordAnswer
is empty after trimming
-or-
passwordAnswer
exceeds 128 characters.
-or-
username
is empty, or exceeds the maximum length allowed for user names (usually 256 characters).
-or-
username
contains commas.
-or-
The user name is mapped to userPrincipalName
but the username
parameter contains backslashes.
The user is locked out because of too many bad logon attempts or too many attempted password-answer reset attempts.
-or-
passwordAnswer
does not match the stored password answer.
The user specified in username
does not exist in the Active Directory data store.
-or-
A generated password does not pass a custom validation handler.
-or-
The generated password is not complex enough to satisfy custom password policies set on the Active Directory server.
-or-
A secure connection cannot be made to an Active Directory Application Mode server to set the new password.
An unhandled exception occurred.
Remarks
The method is called by the Membership class to reset the password for a user in the Active Directory data store to a new randomly generated value. The new password is returned.
Note
The random password created by the ResetPassword method is not guaranteed to pass the regular expression in the PasswordStrengthRegularExpression property. However, the random password will meet the criteria established by the MinRequiredPasswordLength and MinRequiredNonAlphanumericCharacters properties.
If an incorrect answer is supplied to the ResetPassword method, the internal counter that tracks invalid password-answer attempts is incremented by one. This can result in the user being unable to log on until the lock status is cleared by a call to the UnlockUser method. If the correct password answer is supplied and the user is not currently locked out, then the internal counter that tracks invalid password attempts is reset to zero. For more information, see the MaxInvalidPasswordAttempts and PasswordAttemptWindow properties.
Leading and trailing spaces are trimmed from all parameter values.
You can call the ResetPassword method directly by first obtaining a reference to the ActiveDirectoryMembershipProvider instance from the Membership.Provider property.
The provider uses a subtree search starting at the search point specified in the connection string. See the ActiveDirectoryMembershipProvider class topic for more information about connection strings.
To set passwords on an Active Directory server, the connectionProtection
attribute must be set to SignAndSeal.
When using an ADAM server, the connectionProtection
attribute can be set to None, but only if you explicitly configure the ADAM server to allow password changes over unsecured connections.
Important
You cannot reset passwords unless the credentials used to connect to the Active Directory server have either Domain Administrator rights (not recommended) or the "reset password" access right.
To reset a password, all of the following conditions must be true:
The EnablePasswordReset property must be set to
true
.The Active Directory schema must be modified to contain attributes for storing the password question and answer, and the three tracking fields for password answer changes.
The
attributeMapPasswordQuestion
,attributeMapPasswordAnswer
,attributeMapFailedPasswordAnswerCount
,attributeMapFailedPasswordAnswerTime
, andattributeMapFailedPasswordAnswerLockedTime
attributes must be set in the application configuration file.The RequiresQuestionAndAnswer property must be set to
true
.The security context for connecting to the Active Directory data store (either the process account or the explicit credentials) must have sufficient privileges to change passwords. The credentials used to connect to the Active Directory server have either Domain Administrator rights (not recommended) or the "reset password" access right.
Note
Security policies set on the Active Directory server may make it impossible for the ResetPassword method to generate a password that satisfies the policies. The default implementation of the GeneratePassword method will generate passwords that satisfy the default password policies on domain controllers running Windows Server 2003 SP1. If the password cannot be reset due to security policies on the Active Directory server, a ProviderException is thrown.