Security

Re: Reset Password in Active Directory

aaguirre — Fri, 09 May 2008 20:02:42 GMT

may be you are using a library that does not belong to the framework and needs to be published in the COM.

Re: Reset Password in Active Directory

rkws — Tue, 22 Jan 2008 14:50:05 GMT

This code looks so helpful but-

I'm trying to implement it in my project and it's failing when I call SetPassword.

The error I get is "System.Runtime.InteropServices.COMException: The directory property cannot be found in the cache"

Do you have any suggestions why this might be happening, what I can do?

Thanks

Re: Reset Password in Active Directory

Jaff — Fri, 28 Dec 2007 09:58:46 GMT

Hi,

I've implemented the same solution but I'm still getting error. Below are my coding. Anything I've done wrongly? App + Web and the AD server is on Win 2k platform.

DirectoryEntry de = oDE = new DirectoryEntry(LDAPConnectionString, adminID, AdminPassword, AuthenticationTypes.Secure);

DirectorySearcher deSearch = new DirectorySearcher();
deSearch.SearchRoot = de;

deSearch.Filter = "(&(objectClass=user)(objectCategory=person)(samaccountname=" + UserID + "))";
deSearch.SearchScope = SearchScope.Subtree;
SearchResult searchResult = deSearch.FindOne();

IntPtr token = IntPtr.Zero;
bool result = LogonUser(adminID, Domain, AdminPassword, 3, 0, ref token);

if (!result)
{
int errCode = GetLastError();
string errMessage = String.Empty;

        switch (errCode)
        {
            case 5:
                errMessage = "Access Denied";
                break;

                case 1326:
                errMessage = "Logon failure: unknown user name or bad password.";
                break;
        }
        throw new Exception(String.Format("GetLastError() returned: {0}, \"{1}\"", errCode, errMessage));
}
else
{
WindowsIdentity wi = new WindowsIdentity((token));
WindowsImpersonationContext wic = wi.Impersonate();

// Reset user's password
UserEntry.Invoke("SetPassword", new object[] { resetPwd });
UserEntry.CommitChanges();

wic.Undo();
CloseHandle(token);
}

Thanks.

Re: Reset Password in Active Directory

dunnry — Mon, 01 Dec 2003 17:41:18 GMT

There is more information about SetPassword and samples in another post : view post 316534

I would recommend reading the post - it is long, but informative. Also, I would recommend using the sample code in this post rather than the sample posted above.

Re: Reset Password in Active Directory

ppinter1 — Sun, 30 Nov 2003 23:46:29 GMT

Whoa. This almost never happens: I think I've got the fix here!

On Win2003Server, using AD Users and Computers console, select View->Advanced Features menu. This enables extra visibility to Security tabs that otherwise remain invisible.

For my college, I've created a new Organizational Unit (OU) called 'Students', under the main AD domain called mycollege.edu.

I need my Web application to create new AD Users under that OU. Okay so far?

Here's my draft C# code to add a student:

private bool AddUser (string UserName, string Password)
{
if (UserExists (UserName)) return false;

try
{
string path = "LDAP://server.mycollege.edu/OU=Students,DC=mycollege,DC=edu";

DirectoryEntry entry = new DirectoryEntry (path,"mycollege.edu\\registrar","secret",AuthenticationTypes.Secure);

DirectoryEntry user = entry.Children.Add ("CN="+UserName, "User");

user.Properties["samAccountName"].Add (UserName);
user.Properties["description"].Add ("Student Account");
user.Properties["givenName"].Add ("TBA");
user.Properties["sn"].Add ("TBA");
user.CommitChanges();

user.Invoke ("SetPassword", new object[] {Password}); // User has to be saved prior to this step
user.Properties["userAccountControl"].Value = 0x200; // Create and enable a ADS_UF_NORMAL_ACCOUNT
user.CommitChanges();
}
catch (Exception ex)
{
lblStatusExt.Text = ex.Message; // Write out exception text to Label
return false;
}
return true;
}

Now, in AD select the Students OU, select Properties, select the Security tab and add the registrars account with full control permissions. The final trick needed is to click Advanced Permissions and, for the registrar account, ensure the Apply To field denotes 'This object and all child objects'. No workie without this last tweak.

While this functions, I'm wondering what others would suggest to avoid hard-coding the registrars username/password above. Web Application settings in Web.config? How secure is Web.config really? Any other ideas?

Anyone?

Re: Reset Password in Active Directory

ppinter1 — Sun, 30 Nov 2003 21:01:32 GMT

Okay, it's been nearly a year since the last post on this thread. Thanks to Ryan for saving our collective butts with his excellent posts!

Now, has the scene changed? Has there been a more elegant way to SetPassword without resorting to hardcoded Dllimport impersonations or COM+ hacks?

I mean, we shouldn't have to grease IIS/AD this hard to do such a basic function!

Now I see why Forms Authentication (with underlying SQL or XML datastores; not AD) enjoy such prominence among Microsofts examples of authenticated web applications.

Anyway, I've hit the same 'feature' as the main post... I'm providing a secure userID/password on the DirectoryEntry constructor that has been 'Delegate Control' enabled to perform most all admin functions for the OU folder in my AD where the User objects are happily created, but no joy on setting an initial password.

Shouldn't using that fargin ID be enuf already?

Re: Reset Password in Active Directory

dunnry — Mon, 27 Jan 2003 16:29:34 GMT

If you are only calling SetPassword, that is correct. However, in this situation, it is necessary - you can see from the code above that other properties are being set.

Re: Reset Password in Active Directory

MariusFilipowski — Mon, 27 Jan 2003 14:21:30 GMT

Hi, we had a similar problem. You don't have to call CommitChanges() This only applies to Properties.

Hope it helps

Re: Reset Password in Active Directory

bdesmond — Mon, 20 Jan 2003 16:40:18 GMT

FYI you can assign Act as Part of OS rights by:

Opening up the Group Policy console on the server
Local Computer Policy
Computer Config
Windows Settings
Sec Settings
Local Policies
User Rights Assignment
Add ASPNET to the Act as Part of Operating System Assignment.

The server has to be rebooted for the change to become effective.

Re: Reset Password in Active Directory

dunnry — Mon, 20 Jan 2003 02:50:14 GMT

Yes, that is correct if you are using Windows 2000. I had alluded to this in an earlier post, but forgot to mention what that right was. Thanks for the catch. If you are running 2003 Server or XP, you don't need to grant this right.

Re: Reset Password in Active Directory

bdesmond — Sun, 19 Jan 2003 18:43:22 GMT

I implemented a similiar solution with LogonUser. If you're running a 2000 server, ASPNET needs act as part of the operating system rights in order to call that api.

Re: Reset Password in Active Directory

dunnry — Fri, 17 Jan 2003 18:57:00 GMT

Ok, here is something that should work for you:



[DllImport("C:\\WINNT\\System32\\advapi32.dll")] 


public static extern bool LogonUser(String lpszUsername, String lpszDomain, String lpszPassword, 


			int dwLogonType, int dwLogonProvider, out IntPtr phToken); 





[DllImport("C:\\WINNT\\System32\\Kernel32.dll")] 


public static extern int GetLastError(); 





[DllImport("kernel32.dll", CharSet=System.Runtime.InteropServices.CharSet.Auto)]


		public static extern bool CloseHandle(IntPtr handle);





const int UF_SCRIPT						= 0x0001;


const int UF_ACCOUNTDISABLE				= 0x0002;


const int UF_HOMEDIR_REQUIRED			= 0x0008;


const int UF_LOCKOUT					= 0x0010;


const int UF_PASSWD_NOTREQD				= 0x0020;


const int UF_PASSWD_CANT_CHANGE			= 0x0040;


const int UF_TEMP_DUPLICATE_ACCOUNT		= 0x0100;


const int UF_NORMAL_ACCOUNT				= 0x0200;


const int UF_INTERDOMAIN_TRUST_ACCOUNT	= 0x0800;


const int UF_WORKSTATION_TRUST_ACCOUNT	= 0x1000;


const int UF_SERVER_TRUST_ACCOUNT		= 0x2000;


const int UF_DONT_EXPIRE_PASSWD			= 0x10000;


const int UF_MNS_LOGON_ACCOUNT			= 0x20000;





//get ahold somehow of the user that you want to reset their password for


DirectoryEntry _user = new DirectoryEntry(adPath, adminUsername, adminPassword, AuthenticationTypes.Secure);





/// <summary>


/// Reset the user's password


/// </summary>


/// <param name="reset">(bool) change password at next login</param>


/// <returns>user's password (string)</returns>


public string ResetPassword(bool reset)


{


	string sPwd = _user.Properties["sAMAccountName"][0].ToString() + ".tmp"; //static password here


	int flags;


		


	if(reset)


	{


		//first have to remove "Password Never Expires Flag"


		flags = (int)_user.Properties["userAccountControl"].Value;


		if(Convert.ToBoolean(flags & UF_DONT_EXPIRE_PASSWD))


		{


			flags = (flags ^ UF_DONT_EXPIRE_PASSWD);


			_user.Properties["userAccountControl"].Value = flags;


		}


			


		if(_user.Properties.Contains("pwdLastSet"))


			_user.Properties["pwdLastSet"].Value = 0;


		else


			_user.Properties["pwdLastSet"].Add(0);


		}


	else


	{


		//clear the change password at next login if it is there


		if(_user.Properties.Contains("pwdLastSet"))


			_user.Properties["pwdLastSet"].Value = -1;


		else


			_user.Properties["pwdLastSet"].Add(-1);


			


		//set the password never expires flag.


		flags = (int)_user.Properties["userAccountControl"].Value;


		if(!Convert.ToBoolean(flags & UF_DONT_EXPIRE_PASSWD))


		{


			flags = (flags | UF_DONT_EXPIRE_PASSWD);


			_user.Properties["userAccountControl"].Value = flags;


		}


	}





	//Change thread context to Admin's **IMPERSONATION CODE STARTS HERE**


	IntPtr token = IntPtr.Zero;


	string username = ""; //same as in your _user constructor


	string domain = ""; //same as in your _user constructor





	bool result = LogonUser(username, domain , Config.Settings.AdminPassword, 3, 0, out token);


	if(!result)


	{


		int errCode = GetLastError();


		string errMessage = String.Empty;


		switch(errCode)


		{


			case 5:


				errMessage = "Access Denied";


				break;


			case 1326:


				errMessage = "Logon failure: unknown user name or bad password.";


				break;


		}


		throw new Exception(String.Format("GetLastError() returned {0}, \"{1}\"", errCode, errMessage));


	}


	else


	{


		WindowsIdentity wi = new WindowsIdentity(token);


		WindowsImpersonationContext wic = wi.Impersonate();


		_user.Invoke("SetPassword", new object[]{sPwd.ToLower()});				


		_user.CommitChanges();





		wic.Undo(); //end impersonation **END IMPERSONATION**


		CloseHandle(token);


	}


			


	return sPwd.ToLower();


}

Ok, so there is a bit of code here... just declare the DllImports and see how I am using the Impersonation code. I have some more stuff in there because I need it to do a couple more things (like set "Change Password at next Login").

Good luck, it is a little hard to cut & paste into this window, so I hope I did not leave anything out (it is part of much bigger class).

Re: Reset Password in Active Directory

JRing — Thu, 16 Jan 2003 21:26:18 GMT

Well, speaking from experience, an extra component that requires registering with COM+ is a major pain so I think we'd be more interested in manipulating the ASPNET account. If you could further explain what it is we need to do I would be much appreciative.

Thanks again for all your help,
Josh

Re: Reset Password in Active Directory

dunnry — Thu, 16 Jan 2003 15:26:22 GMT

Ok, I spent an inordinate amount of time on this one as well since I last posted for a similar site that allows users to change and update passwords. It turns out that in addition to all the things I have listed above, there is one other major (and painful) requirement:

SetPassword() cannot be called unless the process calling it also has Administrator credentials (i.e. the process token has Reset password right). That means that regardless of what you are passing into the Constructor, it will fail with that "Error has been thrown by target of invokation" in ASP.NET because the aspnet_wp.exe runs always under ASPNET user account context (it would not be a good idea to change this either).

There are two solutions that I have found that will allow this to work:

1. Put the code into COM+ and set an identity of an Admin, it will run in that context and work fine.
2. Impersonate an Admin for duration of SetPassword() call using Interop. This is not the same as using <identity impersonate="true" /> tag. This type of impersonation I am talking about actually changes Process token to Admin.

The first one takes a little bit of work to get going (creating and registering .snk file), and there are a couple minor limitations on COM+ objects. It also makes future changes to the website a little more tedious as you will have to register the COM+ object manually (no xcopy deployment here).

The second option lets you keep the drag and drop deployment, but on Windows 2000, requires you to give additional priviledges to the ASPNET account to make use of the underlying API that is required for impersonation. If you are using XP or 2003 server, then it does not have this requirement.

Think about which way you would like to go and I can show you how to do either.

Re: Reset Password in Active Directory

JRing — Thu, 16 Jan 2003 15:11:23 GMT

SetPassword is failing