Share via

ActiveDirectoryMembershipProvider.ResetPassword(String, String) Method


Resets a user's password to a new, automatically generated password.

 override System::String ^ ResetPassword(System::String ^ username, System::String ^ passwordAnswer);
public override string ResetPassword (string username, string passwordAnswer);
override this.ResetPassword : string * string -> string
Public Overrides Function ResetPassword (username As String, passwordAnswer As String) As String



The user to reset the password for.


The password answer for the specified user.


The new password for the specified user.


The ResetPassword(String, String) method is called before the ActiveDirectoryMembershipProvider instance is initialized.

The EnablePasswordReset property value is false.

passwordAnswer is null.


username is null.

passwordAnswer is empty after trimming


passwordAnswer exceeds 128 characters.


username is empty, or exceeds the maximum length allowed for user names (usually 256 characters).


username contains commas.


The user name is mapped to userPrincipalName but the username parameter contains backslashes.

The user is locked out because of too many bad logon attempts or too many attempted password-answer reset attempts.


passwordAnswer does not match the stored password answer.

The user specified in username does not exist in the Active Directory data store.


A generated password does not pass a custom validation handler.


The generated password is not complex enough to satisfy custom password policies set on the Active Directory server.


A secure connection cannot be made to an Active Directory Application Mode server to set the new password.

An unhandled exception occurred.


The method is called by the Membership class to reset the password for a user in the Active Directory data store to a new randomly generated value. The new password is returned.


The random password created by the ResetPassword method is not guaranteed to pass the regular expression in the PasswordStrengthRegularExpression property. However, the random password will meet the criteria established by the MinRequiredPasswordLength and MinRequiredNonAlphanumericCharacters properties.

If an incorrect answer is supplied to the ResetPassword method, the internal counter that tracks invalid password-answer attempts is incremented by one. This can result in the user being unable to log on until the lock status is cleared by a call to the UnlockUser method. If the correct password answer is supplied and the user is not currently locked out, then the internal counter that tracks invalid password attempts is reset to zero. For more information, see the MaxInvalidPasswordAttempts and PasswordAttemptWindow properties.

Leading and trailing spaces are trimmed from all parameter values.

You can call the ResetPassword method directly by first obtaining a reference to the ActiveDirectoryMembershipProvider instance from the Membership.Provider property.

The provider uses a subtree search starting at the search point specified in the connection string. See the ActiveDirectoryMembershipProvider class topic for more information about connection strings.

To set passwords on an Active Directory server, the connectionProtection attribute must be set to SignAndSeal.

When using an ADAM server, the connectionProtection attribute can be set to None, but only if you explicitly configure the ADAM server to allow password changes over unsecured connections.


You cannot reset passwords unless the credentials used to connect to the Active Directory server have either Domain Administrator rights (not recommended) or the "reset password" access right.

To reset a password, all of the following conditions must be true:

  • The EnablePasswordReset property must be set to true.

  • The Active Directory schema must be modified to contain attributes for storing the password question and answer, and the three tracking fields for password answer changes.

  • The attributeMapPasswordQuestion, attributeMapPasswordAnswer, attributeMapFailedPasswordAnswerCount, attributeMapFailedPasswordAnswerTime, and attributeMapFailedPasswordAnswerLockedTime attributes must be set in the application configuration file.

  • The RequiresQuestionAndAnswer property must be set to true.

  • The security context for connecting to the Active Directory data store (either the process account or the explicit credentials) must have sufficient privileges to change passwords. The credentials used to connect to the Active Directory server have either Domain Administrator rights (not recommended) or the "reset password" access right.


Security policies set on the Active Directory server may make it impossible for the ResetPassword method to generate a password that satisfies the policies. The default implementation of the GeneratePassword method will generate passwords that satisfy the default password policies on domain controllers running Windows Server 2003 SP1. If the password cannot be reset due to security policies on the Active Directory server, a ProviderException is thrown.

Applies to

See also