change expired password of user, without the credentials of another user

change expired password of user, without the credentials of another user

Post by dan » Wed, 10 Aug 2005 17:29:10


Hi ng,

i have User objects in a Active Directory which are used only for IIS
authentication.
So there is a problem when the Password of this User has to be changed (e.g.
because it is expired).
When i connect to the Active Directory with the credentials of such a User,
ADSI throws a "Logon failure: unknown user name or bad password" exception.
Is it possible to get the information that the Password has to be changed?
And can i do that with the credentials of that account?
After all, Windows gets that information from the domain: when i log on the
domain with a "password must be changed" user, a user mask to enter the
expired and the new password evolves. And that is what i like to do, with
ADSI.

Thanks,
dan
 
 
 

change expired password of user, without the credentials of another user

Post by MVP - AD » Wed, 10 Aug 2005 23:06:12

I'm pretty sure you can't do this with ADSI. You definitely can't do this
with LDAP.

You might try to see if you can get it to work with the WinNT provider, but
I'm not sure if that works either.

Windows does this using the SSPI API.

Joe K.

 
 
 

change expired password of user, without the credentials of another user

Post by Rich Raffe » Thu, 11 Aug 2005 08:30:10

I don't have a direct solution. However, we lessened the impact of expired
passwords by implementing a daily job to email informational notices to
users when their passwords were about to expire. We email 14 days and 3
days prior to expiration. This helps catch the people who use Windows
authentication but do not login to a Windows PC.

"Joe Kaplan (MVP - ADSI)" < XXXX@XXXXX.COM > wrote
 
 
 

change expired password of user, without the credentials of another user

Post by dan » Fri, 12 Aug 2005 15:22:54

and is it possible to use the SSPI API in an unmanaged block within .NET?

"Joe Kaplan (MVP - ADSI)" < XXXX@XXXXX.COM > wrote
 
 
 

change expired password of user, without the credentials of another user

Post by MVP - AD » Sat, 13 Aug 2005 01:50:06

Yes, a few people have written managed wrappers for SSPI. .NET 2.0 has a
built in one as well (NegotiateStream).

Google is your friend here :)

Joe K.