The following table lists the constraints that MUST be
satisfied (in the order presented) in order to return the associated output
parameters to the client. All fields of ValidatePasswordResetOutput MUST be set
to 0 before any constraints are met.
Constraint
Condition (fields based on
ValidatePasswordResetInput)
ValidatePasswordResetOutput changes
1
Always
The constraints in section 3.1.1.8.5 MUST be
satisfied, where sAMAccountName is
ValidatePasswordChangeInput.UserAccountName and userAccountControl is
UF_NORMAL_ACCOUNT; on error, ValidationStatus MUST be set as follows:
If the minimum password length constraint fails,
ValidationStatus MUST be SamValidatePasswordTooShort.
If the maximum password length constraint fails,
ValidationStatus MUST be SamValidatePasswordTooLong.
If any other constraint in section 3.1.1.7.2 or section
3.1.1.8.5 fails, ValidationStatus MUST be
SamValidatePasswordNotComplexEnough.<74>
If any constraint from item 1
failed, the server MUST return STATUS_SUCCESS.
2
PasswordMustChangeAtNextLogon is nonzero.
PasswordLastSet MUST be set to zero.
3
PasswordMustChangeAtNextLogon is zero.
PasswordLastSet MUST be set to the current time.
4
ClearLockout is nonzero.
LockoutTime MUST be set to 0.
If
ValidatePasswordResetInput.InputPersistedFields.BadPasswordCount is nonzero,
BadPasswordCount MUST be set to 0.
5
Always
PasswordHistory MUST be updated
such that ValidatePasswordResetInput.HashedPassword is the first element in
PasswordHistory and
ValidatePasswordResetInput.InputPersistedFields.PasswordHistory elements are
used, starting from the left, to fill the remaining elements of
PasswordHistory such that PasswordHistory contains as many elements as
possible up to DomainPasswordHistoryLength elements.
PasswordHistoryLength MUST be
updated to be DomainPasswordHistoryLength.
BadPasswordCount MUST be set to
0.
ValidationStatus MUST be set to
SamValidateSuccess.
The server MUST return any
processing errors; otherwise, it MUST return STATUS_SUCCESS.