Share via


2.7.2.3 Change an Existing Account's Password (PDC) - Client Application

In this use case, a user whose account is present in an Active Directory domain wants to change the existing password to a new value. The user launches a client application to change the password on the user account. The client application establishes a connection to the Active Directory system by connecting to a domain controller that is the primary domain controller (PDC) FSMO role owner for the domain.

Goal

Change the password on an account to a new value.

Context of Use

This use case is used when a client machine connects to the PDC for LDAP and domain services and the user wants to change the password of the user account.

Use case diagram for changing the password of an existing account (PDC)

Figure 16: Use case diagram for changing the password of an existing account (PDC)

Actors

  • Client application

    The client application is the primary actor. It is the entity that prepares the connection to the directory server, submits the request to change the password, and relays the response to the user.

  • Windows Authentication Services

    Windows Authentication Services [MS-AUTHSOD] is the supporting actor that authenticates the user's identity. This is done so that access control decisions can be made by the Active Directory system.

  • Directory server

    The directory server is the supporting actor that receives the password-change request and performs the tasks that are associated with changing a user's password in the directory. The directory server is the owner of the PDC FSMO role for the domain.

Stakeholders

  • User

    The user initiates the password change on his or her existing account. The user primarily wants to receive information that the password was successfully changed or receive an error message if the password was not changed.

  • Directory

    The directory is the entity that contains the user's existing account.

Preconditions

  • The system-wide preconditions, as described in section 2.6, are satisfied. The Active Directory system completes initialization, as described in section 2.6.

  • The client application has connectivity to a directory server to which it can establish a connection, if it is not already connected, and send the request.

  • The account on which the password change is being performed exists.

Main Success Scenario

  1. Trigger: The user provides the account name of the existing account, the existing password for the account, and the new value for the password to the client application, and then invokes the operation that changes the password of the account.

  2. The client application establishes a connection to the directory server. Windows Authentication Services uses the supplied credentials to authenticate the client application ([MS-AUTHSOD] section 2).

  3. The client application sends a request to the directory server to change the password of an existing account. This request includes the account name of the account, the current password, and the new password that the user supplies.

  4. The directory server verifies that the credentials that are supplied through the client application have the necessary access-control rights to complete the operation ([MS-ADTS] section 5.1.3).

  5. The directory server verifies that the current password that is supplied through the client application matches the account's password that is stored in the directory.

  6. The directory server verifies that the new password satisfies the password policy, as described in [MS-SAMR] section 3.1.1.7.1.

  7. The directory server updates the password of the existing account with the new value that is supplied in the request. Additional attributes are updated as mandated by the server's processing rules and constraints ([MS-ADTS] sections 3.1.1.5.1 and 3.1.1.5.3 and [MS-SAMR] section 3.1.1.8.7).

  8. The directory server sends a response to the client application that the password has been successfully updated.

Postcondition

The account's password is changed.

Extensions:

  • If the credentials that are passed through the client application have insufficient access-control rights to set the password on the account:

    1-4. Same as Main Success Scenario.

    5. The directory server sends a response to the client application that it supplied credentials with insufficient access-control rights to set the password on the account.

  • If the current password that the user supplies does not match the password that is stored in the directory:

    1-5. Same as Main Success Scenario.

    6. The directory server sends a response to the client application that the supplied password is incorrect.

  • If the new password that the user supplies does not satisfy the password constraints described in [MS-SAMR] section 3.1.1.7.1:

    1-6. Same as Main Success Scenario.

    7. The directory server sends a response to the client application that the supplied password does not meet the constraints.