Re: AD Change Password issue

From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 02/02/05


Date: Wed, 2 Feb 2005 13:12:32 -0600

You can't do this. If pwdLastSet is set to 1, the user will be in "change
password at next logon" mode, but via LDAP they cannot bind with their
credentials in that state. LDAP bind != Windows Logon. You need to use
Windows APIs to handle this.

If you could go in as a privileged account, you could set pwdLastSet to 0 to
get around that, but you said that wasn't an option.

I'm not exactly sure what APIs you can even use to do this though. One
thing you might want to look at is IIS 6 ships with some web pages for
managing user passwords that DO support this functionality. I haven't used
them, but I've heard such a thing exists.

Best of luck,

Joe K.

"Sathya Gomathi via DotNetMonster.com" <forum@DotNetMonster.com> wrote in
message news:330fe799458147ef8acfb578f5b1cb5a@DotNetMonster.com...
> Hi Thanks..there was a minimum pwd age set on GPO..its working fine now..
>
> i am running into another problem..the requirement is the option 'User
> must change pwd at first logon' needs to be set..and when the user login
> first time i must ask him to change his pwd through C#.
> 1. first problem i encountered was it doent even allow to connect error
> "bad user name and pwd"..
>
> so here is the question " how do i check whether this option is set..and
> how do i disable this option so that the user can change his/her pwd.."
> all this i need to do from C#..and also i cant use admin credentials to
> connect to AD..
>
> Thanks in advance
>
> --
> Message posted via http://www.dotnetmonster.com



Relevant Pages

  • Re: ADAM userProxy and ChangePassword
    ... In working with my programmer we determined that upon doing an LDAP simple ... // Logon failure: the specified account password has expired. ... > back regarding bind errors with LDAP? ... >>I think the issue here is that when you bind to a userProxy in ADAM ...
    (microsoft.public.windows.server.active_directory)
  • Re: whats the difference between a connect, bind and authentication?
    ... Connect and Bind are LDAP terms really, so they aren't related to a network ... Logging into a machine on the domain does not use LDAP. ... A Bind operation in LDAP authenticates the user and changes the ... Note that if logon scripts are involved, they may very well be coded to do ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD and Expired Password Checking and how to test?
    ... The program uses the value of the pwdLastSet attribute of the user and the maxPwdAge attribute of the domain. ... I guess that I've been assuming that bind failure is because Windows/AD thinks that the password has expired, but maybe there might be another reason why the binds would fail as I get "nearer" to the password expiration? ... I'm doing the bind using LDAP ... Is it possible that AD expires passwords for LDAP binds EARLIER than it expires something like an SSPI or Windows bind? ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD and Expired Password Checking and how to test?
    ... The program uses the value of the pwdLastSet attribute of the user and the maxPwdAge attribute of the domain. ... I guess that I've been assuming that bind failure is because Windows/AD thinks that the password has expired, but maybe there might be another reason why the binds would fail as I get "nearer" to the password expiration? ... I'm doing the bind using LDAP ... Is it possible that AD expires passwords for LDAP binds EARLIER than it expires something like an SSPI or Windows bind? ...
    (microsoft.public.windows.server.active_directory)
  • Falsche Laufwerkszuordnung =?ISO-8859-15?Q?f=FCr_logon_drive?=
    ... server string = PDC ... logon script = %U.cmd ... ldap delete dn = Yes ... # directive and/or disable roaming profiles ...
    (de.comp.os.unix.networking.samba)