Results 1 to 4 of 4

Thread: Regular Domain Users can't change expired password

  1. #1
    Join Date
    Mar 2012
    Posts
    6

    Regular Domain Users can't change expired password

    Hello everyone,

    I have an ASP page on which Active Directory users can change their AD password. However they can only use it as long as their password isn't expired.

    When their password is expired, they can't change it anymore.
    I've ran some tests, and i've noticed that only people in our domain-administrator group can change their password, if it is expired.

    Does anybody know how this problem can be solved? Placing all users in the domain-admin group is not an option.

    Here is the script :

    using System;
    using System.Configuration;
    using System.Data;
    using System.Linq;
    using System.Web;
    using System.Web.Security;
    using System.Web.UI;
    using System.Web.UI.HtmlControls;
    using System.Web.UI.WebControls;
    using System.Web.UI.WebControls.WebParts;
    using System.Xml.Linq;
    using System.DirectoryServices;
    using System.Text;



    public partial class _Default : System.Web.UI.Page
    {
    private static String DOMAIN_PREFIX = "LDAP://";
    private static String DOMAIN = " °°°°°°°°°";

    /* This is a user that is especially created for this service */
    private static String SERVICE_USER = "change_password";

    private static String SERVICE_PASSWORD = " °°°°°°°°°°";

    protected void Page_Load(object sender, EventArgs e)
    {
    LabelMessage.Text = "";
    TextBoxDomain.Text = DOMAIN;
    }

    protected void ChangeButton_Click(object sender, EventArgs e) {
    LabelMessage.Text = "";

    StringBuilder errors = new StringBuilder();

    if (String.IsNullOrEmpty(TextBoxDomain.Text)) {
    errors.AppendLine("<li>Please fill in your domain.</li>");
    }

    if (String.IsNullOrEmpty(TextBoxUserName.Text)) {
    errors.AppendLine("<li>Please fill in your username.</li>");
    }

    if (String.IsNullOrEmpty(TextBoxOldPassword.Text)) {
    errors.AppendLine("<li>Please fill in your old password.</li>");
    }

    if (String.IsNullOrEmpty(TextBoxNewPassword.Text)) {
    errors.AppendLine("<li>Please fill in your new password.</li>");
    }

    if (String.IsNullOrEmpty(TextBoxNewPasswordAgain.Text)) {
    errors.AppendLine("<li>Please fill in your new password again.</li>");
    }

    if (errors.Length == 0 && !TextBoxNewPassword.Text.Equals(TextBoxNewPasswordAgain.Text)) {
    errors.AppendLine("<li>Both new passwords should be equal.</li>");
    }

    if (errors.Length != 0) {
    errors.Insert(0, "<p>You password isn't changed!</p><ul>");
    errors.AppendLine("</ul>");
    LabelMessage.Text = errors.ToString();
    LabelMessage.CssClass = "fail";
    return;
    }

    String username = TextBoxUserName.Text;
    String oldPassword = TextBoxOldPassword.Text;
    String newPassword = TextBoxNewPassword.Text;
    String domain = DOMAIN_PREFIX + TextBoxDomain.Text;

    changePassword(domain, username, oldPassword, newPassword);
    }

    private void changePassword(String domain, String username, String oldPassword, String newPassword) {
    try {
    DirectoryEntry root = new DirectoryEntry(domain, SERVICE_USER, SERVICE_PASSWORD);
    DirectorySearcher ds = new DirectorySearcher(root);
    ds.CacheResults = false;
    ds.SearchScope = SearchScope.Subtree;
    ds.Filter = "(&(objectClass=user)(sAMAccountName=" + username + "))";

    SearchResult res = ds.FindOne();
    if (res == null) {
    throw new Exception("User not found in this domain.");
    }

    DirectoryEntry user = res.GetDirectoryEntry();
    if (user == null) {
    throw new Exception("User not found.");
    }

    user.Invoke("ChangePassword", new Object[] { oldPassword, newPassword });

    LabelMessage.Text = "Your password is changed!";
    LabelMessage.CssClass = "success";
    } catch (Exception e) {
    if (e.InnerException != null){
    e = e.InnerException;
    }
    LabelMessage.Text = "<p>Please try again!</p><p>" + e.Message + "</p>";
    LabelMessage.CssClass = "fail";
    //throw e;
    }
    }
    }

    Thanks in Advance,

    Tim

  2. #2
    Join Date
    Dec 2007
    Posts
    2,291

    Re: Regular Domain Users can't change expired password

    Can you tell us whether the affected accounts in a trusted domain? Are all LMHOSTS files configured correctly and the same on all clients? Are the users logged in and then changing their passwords, or go they get the error message during the initial logon? Have you been successful on even one machine with this scenario?

  3. #3
    Join Date
    Mar 2012
    Posts
    6

    Re: Regular Domain Users can't change expired password

    Hey Einstein,

    I don't have any experience with Active Directory, so trusted domain and LMHOST don't ring a bell.
    My page is just an ASP page which is hosted on IIS on our domain controller. On their computers, our users browse to this website, fill in their username, their old password and their new password twice. Then they hit the button and their password should change.

    I noticed the following while testing.
    A certain user had an expired password. He surfed to the page, filled it in, and got an error when clicking the button. Then I open Server Manager, and reset his password to a new value. Then this users browses to the page again, fills in the form, clicks the button. And this time it works, and the password is successfully changed.

    Another user had the same problem as above. He got the error, so I opened server manager again, and put this user in our Domain Administrator group. Then I asked him to try again, and noticed that the page did work this time.

    So i presume this must be caused by some permission issues? Does anybody have experience with this situation?

    Many thanks in advance,

    Tim

  4. #4
    Join Date
    Mar 2012
    Posts
    6

    Re: Regular Domain Users can't change expired password

    Can anyone help me ?

Similar Threads

  1. Replies: 3
    Last Post: 11-06-2012, 04:19 PM
  2. Users are unable to change domain password
    By Kevin M in forum Vista Help
    Replies: 9
    Last Post: 10-03-2010, 10:49 PM
  3. export users with password from domain
    By networkmisr in forum Active Directory
    Replies: 2
    Last Post: 09-05-2009, 07:22 PM
  4. Replies: 1
    Last Post: 28-07-2008, 11:53 AM
  5. Change password for users with blank password: Error
    By Ihit in forum Active Directory
    Replies: 3
    Last Post: 06-06-2008, 06:21 PM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Page generated in 1,711,691,592.46427 seconds with 17 queries