Managing User Passwords
This topic includes information and code examples for managing user passwords.
[C#]
The following code example shows how to set the user password by invoking the IADsUser::SetPassword method.
usr.Invoke("SetPassword", new object[]{SecurelyStoredPassword});
[C#]
The following code example shows how to change the user password by invoking the IADsUser::ChangePassword method.
usr.Invoke("ChangePassword",new object[]{OldSecurelyStoredPassword, NewSecurelyStoredPassword});
[C#]
The following code example shows how to set the user password so that it must be changed at the next logon. It sets the pwdLastSet property to off (-1).
usr.Properties["pwdLastSet"].Value = -1; // To turn on, set this value to 0. usr.CommitChanges();
The following code example shows a function that sets an ACE to deny a password change. It uses COM Interop to access the IADsSecurityDescriptor to get the ntSecurityDescriptor property. It then uses the IADsAccessControlList to get the DACL from the security descriptor and IADsAccessControlEntry to get the AceType, AceFlags, Trustee, Flags, ObjectType, and AccessMask properties. The AceType flags are defined in ADS_ACETYPE_ENUM. The AceFlags are defined in the ADS_FLAGTYPE_ENUM. AccessMask flags are defined in the ADS_RIGHTS_ENUM.
[Visual Basic .NET]
Imports System Imports System.DirectoryServices Imports ActiveDs ... Shared Sub DenyChangePassword(User As DirectoryEntry) Const PASSWORD_GUID As String = "{ab721a53-1e2f-11d0-9819-00aa0040529b}" Const ADS_UF_ACCOUNTDISABLE As Integer = 2 Const ADS_UF_PASSWORD_EXPIRED As Integer = &H800000 Const ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION As Integer = &H1000000 Dim trustees() As String = {"NT AUTHORITY\SELF", "EVERYONE"} Dim sd As ActiveDs.IADsSecurityDescriptor = CType(User.Properties("ntSecurityDescriptor").Value, ActiveDs.IADsSecurityDescriptor) Dim acl As ActiveDs.IADsAccessControlList = CType(sd.DiscretionaryAcl, ActiveDs.IADsAccessControlList) Dim ace As New ActiveDs.AccessControlEntry() Dim trustee As String For Each trustee In trustees ace.Trustee = trustee ace.AceFlags = 0 ace.AceType = Fix(ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_DENIED_OBJECT) ace.Flags = Fix(ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_OBJECT_TYPE_PRESENT) ace.ObjectType = PASSWORD_GUID ace.AccessMask = Fix(ActiveDs.ADS_RIGHTS_ENUM.ADS_RIGHT_DS_CONTROL_ACCESS) acl.AddAce(ace) Next trustee sd.DiscretionaryAcl = acl User.Properties("ntSecurityDescriptor").Value = sd User.CommitChanges() End Sub 'DenyChangePassword
[C#]
using System; using System.DirectoryServices; using ActiveDs; ... static void DenyChangePassword(DirectoryEntry User) { const string PASSWORD_GUID = "{ab721a53-1e2f-11d0-9819-00aa0040529b}"; const int ADS_UF_ACCOUNTDISABLE=2; const int ADS_UF_PASSWORD_EXPIRED=0x800000; const int ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION=0x1000000; string[] trustees = new string[]{@"NT AUTHORITY\SELF","EVERYONE"}; ActiveDs.IADsSecurityDescriptor sd = (ActiveDs.IADsSecurityDescriptor) User.Properties["ntSecurityDescriptor"].Value; ActiveDs.IADsAccessControlList acl = (ActiveDs.IADsAccessControlList) sd.DiscretionaryAcl; ActiveDs.IADsAccessControlEntry ace = new ActiveDs.AccessControlEntry(); foreach(string trustee in trustees) { ace.Trustee = trustee; ace.AceFlags = 0; ace.AceType = (int)ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_DENIED_OBJECT; ace.Flags = (int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_OBJECT_TYPE_PRESENT; ace.ObjectType = PASSWORD_GUID; ace.AccessMask = (int)ActiveDs.ADS_RIGHTS_ENUM.ADS_RIGHT_DS_CONTROL_ACCESS; acl.AddAce(ace); } sd.DiscretionaryAcl = acl; User.Properties["ntSecurityDescriptor"].Value = sd; User.CommitChanges(); }
The following code example shows how to set the password to never expire. It uses the Properties method to access the userAccountControl property to set the ADS_UF_DONT_EXPIRE_PASSWD flag defined in the ADS_USER_FLAG_ENUM.
[Visual Basic .NET]
Shared Sub DontExpirePassword(User As DirectoryEntry) Dim val As Integer Const ADS_UF_DONT_EXPIRE_PASSWD As Integer = &H10000 val = Fix(User.Properties("userAccountControl").Value) User.Properties("userAccountControl").Value = val Or ADS_UF_DONT_EXPIRE_PASSWD User.CommitChanges() End Sub 'DontExpirePassword
[C#]
using System; using System.DirectoryServices; using ActiveDs; ... static void DontExpirePassword(DirectoryEntry User) { int val; const int ADS_UF_DONT_EXPIRE_PASSWD =0x10000; val = (int) User.Properties["userAccountControl"].Value; User.Properties["userAccountControl"].Value = val | ADS_UF_DONT_EXPIRE_PASSWD; User.CommitChanges(); }