Active Directory and LDAP

Re: Resetting an Active Directory accounts' password...

walalm — Thu, 27 Mar 2008 17:16:54 GMT

Dunn, first, thanks for your acclaration.

I have a Question for you. Im programming in an Windows XP Machine, and using ASP.net, im connecting to a server that uses Windows Server 2003, I retrieve the list of users in our AD fine, but when im trying to change a password, or my own password, i can't because the same error all we have:

Unknown name. (Exception from HRESULT: 0x80020006 (DISP_E_UNKNOWNNAME))

, what do i have to do?

Thanks in advance.

Re: Resetting an Active Directory accounts' password...

DaleP — Tue, 11 Mar 2008 16:20:53 GMT

Well, I'm guessing that it didn't work because you need to use "...NULL, NULL, AuthenticationTypes.None". You are using C# and my example was in VB.

Here is my code though (in VB):

Parent = New DirectoryEntry(LDAP & OUPath, Nothing, Nothing, AuthenticationTypes.None)

'This will be used to hold the CN value for the new user.

Dim user = Parent.Children.Add("CN=" & UserID, "user")

'Assign the SAM and UPN for the user

user.Properties("sAMAccountName").Value = UserID

user.Properties("userPrincipalName").Value = UserID

user.Properties("displayName").value = (FName & " " & LName & " " & Moniker)

user.properties("company").value = Session("OriginalBusinessUnit")

user.properties("homeDrive").value = "x:"

user.properties("homeDirectory").value = UserPrivatePath

user.properties("info").value = UserNotes

user.properties("userPrincipalName").value = UserID & "@domain.com"

user.properties("extensionAttribute9").value = UserNotes & " " & DateTime.Now

'Commit the new user to the AD OU

user.CommitChanges()

'Sets the new user account variables such as name and password

user.Invoke("SetPassword", New Object() {Password})

user.Invoke("Put", "givenName", FName)

user.Invoke("Put", "sn", LName)

'Set the Terminal Services profile path and home directory

user.InvokeSet("TerminalServicesProfilePath", New Object() {"path to TSProfile" & UserID})

user.InvokeSet("TerminalServicesHomeDirectory", New Object() {path to user folder})

user.InvokeSet("TerminalServicesHomeDrive", New Object() {"x:"})

user.invokeset("pwdlastset", "0")

'Commit the changes to the account

user.CommitChanges()

'Enable the account in the AD so it can be used

If Session("cbAccountEnable") = 1 Then

Dim flags As Integer = user.Properties("userAccountControl").Valueuser.Properties("userAccountControl").Value = flags And Not ADS_UF_ACCOUNTDISABLE

user.CommitChanges()

End If

Hope that helps...

Re: Resetting an Active Directory accounts' password...

richminichiello — Mon, 10 Mar 2008 13:38:22 GMT

DaleP,

This seems to contradict some of the code written on page 2 (on or about line 23 where extra line breaks were removed) where it states that the Authentication Type is secure:

string ldapPath = "LDAP://dc=domain,dc=com";
DirectoryEntry de = new DirectoryEntry(ldapPath);
de.AuthenticationType = AuthenticationTypes.Secure;

Either way, I did change the code to:

string ldapPath = "LDAP://dc=domain,dc=com";
DirectoryEntry de = new DirectoryEntry(ldapPath, Nothing, Nothing, AuthenticationTypes.None);
//de.AuthenticationType = AuthenticationTypes.Secure;

and it returned a Compilation Error:

Description: An error occurred during the compilation of a resource required to service this request. Please review the following specific error details and modify your source code appropriately.

Compiler Error Message: CS0103: The name 'Nothing' does not exist in the current context

Source Error:

Line 21: 			i.ImpersonateUser(username, domain, password);
Line 22: 			string ldapPath = LDAP://dc=domain,dc=com;
Line 23: 			DirectoryEntry de = new DirectoryEntry(ldapPath,Nothing, Nothing, AuthenticationTypes.None);

Would it be possible for you to reply with the full source of the code you used to make your page?

I truly appreciate any help you can give.

Re: Resetting an Active Directory accounts' password...

DaleP — Thu, 06 Mar 2008 21:32:41 GMT

Well, if I understand what you're asking, I got around this by:

1: Setting up a new IIS Application Pool that runs under the domain administrator account

2: I setup my DirectoryEntry string like this -
Parent = New DirectoryEntry("LDAP://OU=Users,DC={domain},DC=com", Nothing, Nothing, AuthenticationTypes.None)

3: Upload the site to the directory your website is located in (running under the application pool with admin privs) and run it.

This allows the logged in user to perform specific tasks, like resetting a password, without granting them access to the A.D. or impersonating another account through code.

Also the AuthenticationTypes should be set to "None" since your not passing any credentials. If you don't specify any it defaults to "Secure" which caused trouble for me for a couple days. Why it caused me trouble I guess I'm not sure, but telling it "None" resolved it.

Hope this is what you are looking for.

Re: Resetting an Active Directory accounts' password...

richminichiello — Thu, 06 Mar 2008 21:10:04 GMT

I guess the error would be needed...

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Runtime.InteropServices.COMException: An operations error occurred.

Source Error:

Line 26: 			DirectorySearcher ds = new DirectorySearcher(de,qry);
Line 27: 				
Line 28: 			SearchResult sr = ds.FindOne();
Line 29: 			if(sr==null)
Line 30: 			{

Re: Resetting an Active Directory accounts' password...

richminichiello — Thu, 06 Mar 2008 21:09:03 GMT

I'm not sure if this is a dead post or not. It seems like a while since there has been any activity. I do, however, need some help. I work for a school that has over 230 thousand users...each with their own username and password. What I am trying to do is make a website that I could distribute to the teachers so that they could reset their student's passwords if needed. Right now, even with hundreds of local admins at the sites, they are having a real hard time keeping up with the password reset requests.

I have read through this post and so far, the only part that is making any sense to me (being that I am a novice with ASP) is the post from Dunnry on the second page :

"System.DirectoryServices, Version=1.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"%>
"Dunnry.Security" %>
"System.DirectoryServices" %>
"Dunnry.Security" %>

	"C#" runat="server">
		void Page_Load(Object Src, EventArgs E ) { 
			if(!Page.IsPostBack)
			{
			}
		} 
		private void ResetPassword(object sender, EventArgs e)
		{	
			
			//for impersonation
			string username = "";
			string password = "";
			string domain = "";
			
			Impersonate i = new Impersonate(LogonProvider.LOGON32_PROVIDER_WINNT50);
			i.ImpersonateUser(username, domain, password);
			string ldapPath = "LDAP://dc=domain,dc=com";
			DirectoryEntry de = new DirectoryEntry(ldapPath);
			de.AuthenticationType = AuthenticationTypes.Secure;
			string qry = String.Format("(&(objectClass=user)(objectCategory=person)(sAMAccountName={0}))", txtUsername.Text);
			DirectorySearcher ds = new DirectorySearcher(de,qry);
				
			SearchResult sr = ds.FindOne();
			if(sr==null)
			{
				lblMessage.Text = "User not found";
				return;
			}
			try
			{	
				DirectoryEntry user = sr.GetDirectoryEntry();
				user.AuthenticationType = AuthenticationTypes.Secure;
				user.Invoke("SetPassword", new object[]{txtPassword.Text});
				
				lblMessage.Text = "Success 
";
			}
			catch(Exception ex)
			{
				//throw ex;
				lblMessage.Text = "Failure: " + ex.Message;
				if(ex.InnerException != null)
					lblMessage.Text += "
" + ex.InnerException.Message;
			}
			finally
			{
				de.Close();
				i.UndoImpersonation();
			}
		}
	</script>
	<body>
		<form runat="server"&gt;
			UserName: <asp:textbox id="txtUsername" runat="server"/><br>
			New Password: <asp:textbox id="txtPassword" runat="server"/><br>
			<asp:button id="btnReset" runat="server" Text="Reset" OnClick="ResetPassword" /><br>
			<asp:label id="lblMessage" runat="server"/>


			I am running as: 

			My process is running as:

Well, I did exactly what the instrutions said, and I know that this is not a recommended solution (due to the aspnet user having an 'Act as part of the operating system right'). I can only get so far, though. When I put in a username and new password, I get an error when I hit the 'Reset' button:

Re: Resetting an Active Directory accounts' password...

DaleP — Tue, 27 Mar 2007 21:30:39 GMT

New question to an old post; Can you describe whats happening in this line of code:

----------------------------------------------------------------------------------------------------------------

'Enable account

Const ADS_UF_ACCOUNTDISABLE As Integer = &H2

Dim flags As Integer = user.Properties("userAccountControl").Value
user.Properties("userAccountControl").Value = flags And Not ADS_UF_ACCOUNTDISABLE
user.CommitChanges()
-------------------------------------------------------------------------------------------------------------------

I've been reading in chapter 10 of your book "The .NET Developers Guide to Directory Services User Account Management" on this and I think I need a little instruction on it. I am using it, it works but I just don't understand why or how it works.

Thanks!

Re: Resetting an Active Directory accounts' password...

Hoff — Mon, 28 Aug 2006 13:50:51 GMT

Hi! I'm trying to let helpdesk users reset users password in the AD using a web application. I get a logon dialog to the server that the IIS is running and the web application is on. I have no idea why?. According to my application the impersonation seems to work fine, but it still wants me to login. The error occurs here:

                    UserEntryChange = result.GetDirectoryEntry()

                    UserEntryChange.Invoke("setpassword", "p@ssw0rd")
                    lblDebug.Text = "The password has been changed"
                    UserEntryChange.CommitChanges()

Any ideas what is wrong?

I'm using IIS6 and Win 2k3 server. I know that this solution is not secure but I just want it to work now. Is there a better way to let help desk users reset users password in the AD?. Really would be thankfull for all help I can get. I'm stuck right now:/

Best regards

hoff

Imports System
Imports System.DirectoryServices
Imports System.Web.Caching
Imports System.Security
Imports System.Security.Principal

Partial Class _Default
    Inherits System.Web.UI.Page

    Dim LOGON32_LOGON_INTERACTIVE As Integer = 2
    Dim LOGON32_PROVIDER_DEFAULT As Integer = 0

    Dim impersonationContext As WindowsImpersonationContext

    Declare Function LogonUserA Lib "advapi32.dll" (ByVal lpszUsername As String, _
                           ByVal lpszDomain As String, _
                          ByVal lpszPassword As String, _
                         ByVal dwLogonType As Integer, _
                        ByVal dwLogonProvider As Integer, _
                       ByRef phToken As IntPtr) As Integer

    Declare Auto Function DuplicateToken Lib "advapi32.dll" ( _
                           ByVal ExistingTokenHandle As IntPtr, _
                          ByVal ImpersonationLevel As Integer, _
                         ByRef DuplicateTokenHandle As IntPtr) As Integer

    Declare Auto Function RevertToSelf Lib "advapi32.dll" () As Long
    Declare Auto Function CloseHandle Lib "kernel32.dll" (ByVal handle As IntPtr) As Long

    Public Sub Page_Load(ByVal s As Object, ByVal e As EventArgs)

    End Sub
    Private Sub Run(ByVal userName As String, ByVal password As String)
        Dim _userName, _password As String
        _userName = userName
        _password = password
        If impersonateValidUser(_userName, "hoff.test.se", _password) Then
            lblAfter.Text = WindowsIdentity.GetCurrent().Name

            ' Insert your code that runs under the security context of a specific user here.
            undoImpersonation()

        End If
    End Sub

    Private Function impersonateValidUser(ByVal userName As String, _
     ByVal domain As String, ByVal password As String) As Boolean

        Dim tempWindowsIdentity As WindowsIdentity
        Dim token As IntPtr = IntPtr.Zero
        Dim tokenDuplicate As IntPtr = IntPtr.Zero
        impersonateValidUser = False
        If RevertToSelf() Then
            If LogonUserA(userName, domain, password, LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, token) <> 0 Then
                If DuplicateToken(token, 2, tokenDuplicate) <> 0 Then
                    tempWindowsIdentity = New WindowsIdentity(tokenDuplicate)
                    impersonationContext = tempWindowsIdentity.Impersonate()
                    If Not impersonationContext Is Nothing Then
                        impersonateValidUser = True
                    End If
                End If
            End If
        End If
        If Not tokenDuplicate.Equals(IntPtr.Zero) Then
            CloseHandle(tokenDuplicate)
        End If
        If Not token.Equals(IntPtr.Zero) Then
            CloseHandle(token)
        End If
    End Function

    Private Sub undoImpersonation()
        impersonationContext.Undo()
        lblAfterImp.Text = WindowsIdentity.GetCurrent().Name
    End Sub

    Dim UserEntry As New DirectoryEntry

    Protected Sub btnSearch_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles btnSearch.Click
        Dim AuthUser, AuthPass, Domain As String
        AuthUser = txtUsername.Text
        AuthPass = txtPassword.Text
        Domain = txtDomain.Text
        Cache("UserName") = AuthUser
        Cache("UserPsw") = AuthPass
        Dim oOU As New System.DirectoryServices.DirectoryEntry("LDAP://hoff.test.se", AuthUser, AuthPass, AuthenticationTypes.Secure)
        UserEntry = searchUser2(oOU)

    End Sub

    Protected Sub btnChangePsw_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles btnChangePsw.Click
        Dim UserID, UserPassword As String
        UserID = Cache.Get("UserName")
        UserPassword = Cache.Get("UserPsw")
        lblBeforeImp.Text = WindowsIdentity.GetCurrent().Name
        'Impersonate...
        If impersonateValidUser(UserID, "hoff.test.se", UserPassword) Then
            Dim oOUChange As New System.DirectoryServices.DirectoryEntry("LDAP://hoff.test.se", UserID, UserPassword, AuthenticationTypes.Secure)
            ChangeUserPsw(oOUChange)
        Else
            lblDebug.Text = "Impersonation failed"
        End If
        undoImpersonation()
    End Sub

    Public Function searchUser2(ByVal myEntry As System.DirectoryServices.DirectoryEntry)
        lstResults.Items.Clear()
        lblDebug.Text = ""

        Try
            Dim mySearch As New System.DirectoryServices.DirectorySearcher(myEntry)
            Dim UserEntrySearch As New DirectoryEntry

            lblDebug.Text = txtSearch.Text
            mySearch.Filter = "(SAMAccountName=" & txtSearch.Text & ")"
            mySearch.PropertiesToLoad.Add("cn")
            mySearch.PropertiesToLoad.Add("sAMAccountName")
            mySearch.PropertiesToLoad.Add("description")

            'search results
            Dim result As System.DirectoryServices.SearchResult
            For Each result In mySearch.FindAll()
                If result.Properties.Count > 0 Then
                    lstResults.Items.Add(result.Properties("cn")(0))
                    lstResults.Items.Add(result.Properties("sAMAccountName")(0))
                    lstResults.Items.Add(result.Properties("description")(0))
                    lstResults.Items.Add(result.Path.ToString)
                    UserEntrySearch = result.GetDirectoryEntry()

                Else
                    lblDebug.Text = "No user was found"

                End If

            Next result
            Return UserEntrySearch

        Catch ex As Exception
            lblDebug.Text = "Wrong username/password"
            Return Nothing
        End Try
    End Function

    Public Sub ChangeUserPsw(ByVal myEntry As System.DirectoryServices.DirectoryEntry)
        Try
            Dim mySearch As New System.DirectoryServices.DirectorySearcher(myEntry)
            Dim UserEntryChange As New DirectoryEntry

            'search filter
            mySearch.Filter = "(SAMAccountName=" & txtSearch.Text & ")"
            mySearch.PropertiesToLoad.Add("cn")
            mySearch.PropertiesToLoad.Add("sAMAccountName")
            mySearch.PropertiesToLoad.Add("description")

            'the results from the search
            Dim result As System.DirectoryServices.SearchResult
            For Each result In mySearch.FindAll()
                If result.Properties.Count = 0 Then
                    lblDebug.Text = "The user was not found"
                Else

                    UserEntryChange = result.GetDirectoryEntry()

                    UserEntryChange.Invoke("setpassword", "p@ssw0rd")
                    lblDebug.Text = "Password has been changed"
                    UserEntryChange.CommitChanges()

                    UserEntryChange.Close()
                End If

            Next result

        Catch ex As Exception
            Throw
        End Try
    End Sub

    Protected Sub btnReset_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles btnReset.Click
        txtUsername.Text = ""
        txtPassword.Text = ""
        txtSearch.Text = ""
        lblDebug.Text = ""
        lstResults.Items.Clear()

    End Sub

End Class

Re: Resetting an Active Directory accounts' password...

dpwb — Mon, 24 Jul 2006 13:21:35 GMT

Include System.DirectoryServices into your project

Above your class add

using System.DirectoryServices

The following should be included under your asp button

DirectoryEntry de = new DirectoryEntry();

de.Path = "LDAP://ADName/CN=Users;DC=controllerNameSeperatedByCommas";

de.Username = "controllerNameSeperatedByCommas\ADAdminAccount";

de.Password = "ADAdminPassword";

DirectorySearcher deSearch = new DirectorySearcher();

deSearch.SearchRoot = de;

deSearchFilter = "(&(objectClass=user)(SAMAccountName=" + txtAccount.Text + "))";

SearchResult account = deSearch.FindOne();

DirectoryEntry user = account.GetDirectoryEntry();

object[] oPassword = new object[] { txtNewPassword.Text};

object ret = user.Invoke("SetPassword", oPassword);

user.CommitChanges();

cheers

dpwb

Re: Resetting an Active Directory accounts' password...

dpwb — Mon, 24 Jul 2006 13:17:16 GMT

Include System.DirectoryServices into your project

Above your class add

using System.DirectoryServices

The following should be included under your asp button

try

{

DirectoryEntry de = new DirectoryEntry();

de.Path = "LDAP://ADName/CN=Users;DC=controllerNameSeperatedByCommas";

de.Username = "controllerNameSeperatedByCommas\ADAdminAccount";

de.Password = "ADAdminPassword";

DirectorySearcher deSearch = new DirectorySearcher();

deSearch.SearchRoot = de;

deSearchFilter = "(&(objectClass=user)(SAMAccountName=" + txtAccount.Text + "))";

SearchResult account = deSearch.FindOne();

DirectoryEntry user = account.GetDirectoryEntry();

Re: Resetting an Active Directory accounts' password...

BillyBoBob — Thu, 20 Jul 2006 15:41:46 GMT

Would someone be gracious enough to give me a simple path of how to put this together. I'm no developer but can tinker with things as needed.

I have Microsoft Visual Web Developer and access to Visual Studio 2005. I would just like a simple form for a delegated authority in AD to reset a password for one of their subordinates. How do I use the text box fields from my aspx page for username and password to accomplish this?

again, I GREATLY appreciate any help that can be given. Thanks.

Re: Resetting an Active Directory accounts' password...

keiyia — Tue, 27 Jun 2006 21:46:37 GMT

I am new to AD programming and C#. I am creating an application that will allow users to reset their passwords and unlock their accounts. I know there is a good post on here for a web form but I am still getting no where.

I got it working using WinNT but am now changing it to LDAP because of the limits WinNT puts on you. Now I am getting a target of invocation error. See my code below.

(Basically I stripped everything out and started a new app using the bare minimum to try and track down the problem. Please help.)

using

System;

using

System.Collections.Generic;

using

System.ComponentModel;

using

System.Data;

using

System.Drawing;

using

System.Text;

using

System.Windows.Forms;

using

System.DirectoryServices;

namespace

WindowsApplication1

{

public partial class Form1 : Form

{

public Form1()

{

InitializeComponent();

}

private void button1_Click(object sender, EventArgs e)

{

string username = "test";

DirectoryEntry entry = new DirectoryEntry(LDAP://server namem.domain.gov,"admin user ", "password", AuthenticationTypes.Secure);

DirectorySearcher search = new DirectorySearcher();

search.Filter =

String.Format("(SAMAccountName={0})", username);

search.PropertiesToLoad.Add(

"cn");

SearchResult result = search.FindOne();

if (result != null)

{

textBox1.Text =

Convert.ToString(entry.Invoke("Get", new object[] { "FullName" }));

//statusLabel.Text = "true";

}

Re: Resetting an Active Directory accounts' password...

Loxodrome — Mon, 23 Feb 2004 19:56:29 GMT

Ok .. then am i to assume that

.Invoke("ChangePassword",new object[]{strOldPassword, strNewPassword});

should work outside of the domain ?

If so, then its not working for me either..

I was really hoping to get rid of some of the hacks im using to set passwords in the other domain... Currently I am doing DB exports on changed password fields, SCP 'ing to the other domain, and then SSH'ing it to run the generated VBS file... <sigh> so much for the glory of C#.NET :)

As for SSL and the unicodePWD .. never tried SSL and I looked into setting the unicodePWD when i was trying to do this with PHP and decided that it was way to much a pain in the ass to convert the script i found to php....

Right now though, it seems to be erroring out on "There is no such object on the server".. Its the same error regardless of the proccess (SetPass,ChangePass) it doesnt even get their, just tries to bind and dies when binding to the user object... but i cant find a way to properly test /where/ its failes, but an educated guess would be during bind.

Re: Resetting an Active Directory accounts' password...

dunnry — Mon, 23 Feb 2004 19:30:51 GMT

However I /need/ to be able to reset passwords on domains outside of the one the webserver resides on.

Sorry, I don't believe SetPassword will work on any computer outside the domain. I have not seen documentation to that effect, but speaking with others, this appears to be the situation. Perhaps if you have SSL installed on your domain controllers and are using it, it might work - or by setting the 'unicodePwd' attribute directly.

Re: Resetting an Active Directory accounts' password...

Loxodrome — Mon, 23 Feb 2004 19:16:36 GMT

Ok.. im yet another one that is attempting this.

However I /need/ to be able to reset passwords on domains outside of the one the webserver resides on.

My code works fine as best as I can tell, it seems to authenticate on the target domain, it seems to try and bind to the target user object...

But then the throw(),catch() gives me;There is no such object on the server....

Ok.. that would tell me that the user that I am binding to does not exist on the target domain.. However I know it is there.. So my next assumption would be that the user that is creating the bind (an admin account from the target domain domain\\username) does not have enough credetials to browse the OU... Which then lends to the, is this then a double hop issue or lack of sec token from the origanl admin bind, and that it is the ISUR account that is attempting to connect to the target domain instead.

1) i am running an IIS server on a standalone (non-dc) machine in the admin domain
2) OS is windows XP server 2003 patched to the gills
3) The server exists on the admin domain wich can commuicate with the student domain, but not the reverse
4) I am using form authentication, impersonation is enabled in my web.config

code is;



public void ChangePassBtn_Click(object sender, System.EventArgs e)


		{


			string inPassword = txtPassword.ToString();


			string inUsername = txtUsername.ToString();


			string UserPath= "LDAP://domain:389/CN=username,CN=techs,CN=users,CN=floor,DC=domain,DC=domain,DC=domain,DC=domain";


			


			lblSuccessFail.Text = "";





			try


			{


				DirectoryEntry adEntry= new DirectoryEntry(UserPath,"domain\\admin","adminpass",AuthenticationTypes.Secure);


				adEntry.Invoke("SetPassword", new object[]{inPassword});


				adEntry.CommitChanges();


				adEntry.RefreshCache();


			}


			catch(Exception ex)


			{


				//string strCurrentID = System.Security.Principal.WindowsIdentity.GetCurrent().Name;





				lblSuccessFail.Text = ex.Message.ToString();


				//lblSuccessFail.Text = ex.InnerException.Message.ToString();


			}


		}