3.2.5.14 NetUserPasswordSet2 Command
The Remote Administration Protocol server MUST process the NetUserPasswordSet2Request as follows:
The server MUST validate that the incoming ParamDesc field of the Remote Administration Protocol request contains the ASCII string "zb16b16WW"; if it does not, the server SHOULD format a Remote Administration Protocol response with the Win32ErrorCode set to ERROR_INVALID_PARAMETER (0x0057), and then return the response to the client.<85>
If the input EncryptedPassword parameter is not 0x0000, the Remote Administration Protocol server SHOULD set the Win32ErrorCode value in the Remote Administration Protocol response message to ERROR_INVALID_PARAMETER (0x0057).<86>
The server MUST verify that the old password matches User.Password. If it does not, the server MUST fail the request by creating a Remote Administration Protocol response message with the Win32ErrorCode set to ERROR_ACCESS_DENIED.
The server MUST attempt to change the password for the specified user. This operation SHOULD be executed using the Security Account Manager (SAM) Remote Protocol [MS-SAMR] as follows:
The server MUST issue a SamrConnect request as specified in [MS-SAMR] section 3.1.5.1.4, with the following parameters:
Parameter
Value
ServerName
The name of the local machine
DesiredAccess
0x31
If this call succeeds, the server MUST issue a SamrLookupDomainInSamServer request as specified in [MS-SAMR] section 3.1.5.11.1, with the following parameters:
Parameter
Value
ServerHandle
ServerHandle returned from SamrConnect request
Name
The name of the local machine
If this call succeeds, the server MUST issue a SamrOpenDomain request as specified in [MS-SAMR] section 3.1.5.1.5, with the following parameters:
Parameter
Value
ServerHandle
ServerHandle returned from SamrConnect request
DesiredAccess
0x200
DomainId
DomainId returned from SamrLookupDomainInSamServer request
If this call succeeds, the server MUST issue a SamrLookupNamesInDomain as specified in [MS-SAMR] section 3.1.5.11.2, with the following parameters:
Parameter
Value
DomainHandle
DomainHandle returned from SamrOpenDomain request
Count
1
Names
NetUserGetInfoRequest.UserName
If this call succeeds, the server MUST issue a SamrOpenUser request as specified in [MS-SAMR] section 3.1.5.1.9, with the following parameters:
Parameter
Value
DomainHandle
DomainHandle returned from SamrOpenDomain request
DesiredAccess
0x0040
UserId
RID returned from SamrLookupNamesInDomain request
If this call succeeds, the server MUST issue a SamrChangePasswordUser request as specified in [MS-SAMR] section 3.1.5.10.1, with the following parameters:
Parameter
Value
UserHandle
UserHandle returned from SamrOpenUser
LmPresent
TRUE
OldLmEncryptedWithNewLm
ENCRYPTED_LM_OWF_PASSWORD as specified in [MS-SAMR] section 2.2.7.3, calculated by taking a hash of OldPassword received in the NetUserPasswordSet2Request request, using the hashing algorithm specified in [MS-SAMR] section 2.2.11.1.1 using OldPassword as a 16-byte key
NewLmEncryptedWithOldLm
ENCRYPTED_LM_OWF_PASSWORD as specified in [MS-SAMR] section 2.2.7.3, calculated by taking a hash of NewPassword received in the NetUserPasswordSet2Request request, using the hashing algorithm specified in [MS-SAMR] section 2.2.11.1.1 using NewPassword as a 16-byte key
NtPresent
FALSE
OldNtEncryptedWithNewNt
NULL
NewNtEncryptedWithOldNt
NULL
NtCrossEncryptionPresent
FALSE
NewNtEncryptedWithNewLm
NULL
LmCrossEncryptionPresent
FALSE
NewLmEncryptedWithNewNt
NULL
If any other errors occur during the response processing, the Remote Administration Protocol server MUST fill in the Win32ErrorCode value in the Remote Administration Protocol response message with the Win32 error code corresponding to the error. Otherwise, the Remote Administration Protocol server MUST set Win32ErrorCode to ERROR_SUCCESS (0X0000).