Directory Services

Managing User Passwords

This topic includes information and code examples for managing user passwords.

The following code example shows how to set the user password by invoking the IADsUser::SetPassword method.

[C#]
usr.Invoke("SetPassword", new object[]{"secret"});

The following code example shows how to change the user password by invoking the IADsUser::ChangePassword method.

[C#]
usr.Invoke("ChangePassword",new object[]{"oldpass","newpass"});

The following code example shows how to set the user password so that it must be changed at the next logon. It sets the pwdLastSet property to off (-1).

[C#]
usr.Properties["pwdLastSet"].Value = -1; // To turn on, set this value to 0.
usr.CommitChanges();

The following code example shows how to deny the change password operation. It uses COM Interop to access the IADsSecurityDescriptor to get the ntSecurityDescriptor property. It then uses the IADsAccessControlList to get the DACL from the security descriptor and IADsAccessControlEntry to get the AceType, AceFlags, Trustee, Flags, ObjectType and AccessMask properties. The AceType flags are defined in ADS_ACETYPE_ENUM. The AceFlags are defined in the ADS_FLAGTYPE_ENUM. AccessMask flags are defined in the ADS_RIGHTS_ENUM.

[C#]
using System;
using System.DirectoryServices;

public class securitydescriptorclass
{
	public const string PASSWORD_GUID = "{ab721a53-1e2f-11d0-9819-00aa0040529b}";
	public const int ADS_UF_ACCOUNTDISABLE=2;
	public const int ADS_UF_PASSWORD_EXPIRED=0x800000;
	public const int ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION=0x1000000;
	
	public static void Main(string[] args)
	{
		DirectoryEntry ent = new DirectoryEntry();
		DirectoryEntry ou = ent.Children.Find("OU=Consulting");
		DirectoryEntry usr = ou.Children.Add("CN=Alice Sullivan","user");

		string[] trustees = new string[]{@"NT AUTHORITY\SELF","EVERYONE"};

		ActiveDs.IADsSecurityDescriptor sd = 
			(ActiveDs.IADsSecurityDescriptor)usr.Properties["ntSecurityDescriptor"].Value;
		ActiveDs.IADsAccessControlList acl = (ActiveDs.IADsAccessControlList) 
			sd.DiscretionaryAcl;
		ActiveDs.IADsAccessControlEntry ace = new ActiveDs.AccessControlEntry();
		foreach(string trustee in trustees)
		{
			ace.Trustee = trustee;
			ace.AceFlags = 0;
			ace.AceType = (int) 
			ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_DENIED_OBJECT;
			ace.Flags = (int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_OBJECT_TYPE_PRESENT;
			ace.ObjectType = PASSWORD_GUID;
			ace.AccessMask = (int)ActiveDs.ADS_RIGHTS_ENUM.ADS_RIGHT_DS_CONTROL_ACCESS;
			acl.AddAce(ace);
	}
		sd.DiscretionaryAcl = acl;
		usr.Properties["ntSecurityDescriptor"].Value = sd; 
		usr.CommitChanges();
}
}

The following code example shows how to set the password to never expire. It uses the Properties method to access the userAccountControl property to set the ADS_UF_DONT_EXPIRE_PASSWD flag defined in the ADS_USER_FLAG_ENUM.

[C#]
const int ADS_UF_DONT_EXPIRE_PASSWD =0x10000;
val = (int) usr.Properties["userAccountControl"].Value;
usr.Properties["userAccountControl"].Value = val | 
ADS_UF_DONT_EXPIRE_PASSWD;
usr.CommitChanges();