API to Change User Password and Maintain EFS Access

API to Change User Password and Maintain EFS Access

Post by Tyle » Tue, 31 Aug 2004 22:19:23


What API call should an application use to change a user account's password
(local machine account - not a domain account) such that the user will still
have access to files encrypted using EFS?

I have attempted to use both the NetUserSetInfo and NetUserChangePassword
and both APIs leave the user without access to files encrypted using the
previous password.

Could someone please provide some guidance as to what APIs an application
should use to change a user account's password without losing access to EFS
files?

Thanks, Tyler
 
 
 

API to Change User Password and Maintain EFS Access

Post by John Banes » Wed, 01 Sep 2004 04:22:29

The NetUserChangePassword function should work fine for this. Of course, you
do need to supply the user's old password when calling this function.

Regards,
John Banes
[Microsoft Security Developer]

This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send email directly to this alias. This alias is for newsgroup
purposes only.



password
still
EFS

 
 
 

API to Change User Password and Maintain EFS Access

Post by Tyle » Wed, 01 Sep 2004 05:53:03

Using the program below, I have been unable to make the
NetUserChangePassword API work. I created my test environment as follows:
- create new local user
- logon as the new local user
- create a new folder, set its properties to encrypt files
- create a new text file in the folder - when saved, it is encrypted
- logoff, and logon again
- attempt to access the encrypted text file - access OK
- run the program below that uses the NetUserChangePassword API to change
the user's password
- logoff, and logon again
- attempt to access the encrypted text file - access DENIED

Can you see that I missing any steps?

Thanks, Tyler


******* Test Program (from MSDN NetUserChangePassword API) *******

// ChangePassword.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"

int wmain(int argc, wchar_t *argv[])
{
DWORD dwError = 0;
NET_API_STATUS nStatus;
//
// All parameters are required.
//
if (argc != 5)
{
fwprintf(stderr, L"Usage: %s \\\\ServerName UserName OldPassword
NewPassword\n", argv[0]);
exit(1);
}
//
// Call the NetUserChangePassword function.
//
nStatus = NetUserChangePassword(argv[1], argv[2], argv[3], argv[4]);
//
// If the call succeeds, inform the user.
//
if (nStatus == NERR_Success)
fwprintf(stderr, L"User password has been changed successfully\n");
//
// Otherwise, print the system error.
//
else
fprintf(stderr, "A system error has occurred: %d\n", nStatus);

return 0;
}

******* End Test Program *******
 
 
 

API to Change User Password and Maintain EFS Access

Post by John Banes » Wed, 01 Sep 2004 10:58:09

Leave off the "\\" in front of the machine name and this should start
working okay. This problem was discovered pretty recently, and I'm pretty
sure that a fix is in the pipeline. In the meantime, leaving off the slashes
in front of the domain name parameter is a pretty simple work-around.

Regards,
John Banes
[Microsoft Security Developer]

This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send email directly to this alias. This alias is for newsgroup
purposes only.



application.
 
 
 

API to Change User Password and Maintain EFS Access

Post by Tyle » Wed, 01 Sep 2004 21:30:40

Thank you!

Removing the "\\" has resolved my problem. One last question is, do you
have any idea how this fix will be provided (hotfix/service pack/other) and
will the fix be compatible with the work-around to remove the "\\"?

Thanks, Tyler




slashes
rights.
newsgroup
 
 
 

API to Change User Password and Maintain EFS Access

Post by John Banes » Thu, 02 Sep 2004 04:59:25

I'm not sure how the fix will be packaged or when it will be released. I can
say that it will definitely be compatible with the work-around, though. Most
callers of NetUserChangePassword do not include the "\\" in front of the
domain name, or else we would have discovered this problem years ago.

Regards,
John Banes
[Microsoft Security Developer]

This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send email directly to this alias. This alias is for newsgroup
purposes only.



and


pretty
 
 
 

API to Change User Password and Maintain EFS Access

Post by Tyle » Thu, 02 Sep 2004 22:34:12

Thank you for your assistance John. It is greatly appreciated! :-)

Tyler




can
Most
rights.
newsgroup
 
 
 

API to Change User Password and Maintain EFS Access

Post by John Banes » Fri, 03 Sep 2004 13:40:48

No problem. It helped a lot that your problem description was so detailed!

Regards,

John Banes
[Microsoft Security Developer]

This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send email directly to this alias. This alias is for newsgroup
purposes only.