User Management with Active Directory—Managing Passwords for Active Directory Users

Microsoft .NET Framework, ASP.NET, Visual C# (CSharp, C Sharp, C-Sharp) Developer Training, Visual Studio

Managing Passwords for Active Directory Users

Unlike most Active Directory and ADAM user-management tasks, which we perform through simple manipulation of Active Directory objects and attributes via LDAP, managing passwords is a bit complex. Password changes require very special semantics that are enforced by the server, and developers need to understand these semantics for password management applications to be successful.

In order to try to facilitate the password management process, ADSI exposes two methods on the IADsUser interface: SetPassword and ChangePassword. SetPassword is used to perform an administrative reset of a user’s password and is typically performed by an administrator. Knowledge of the previous password is not required. ChangePassword is used simply to change the password from one value to another and is typically performed only by the user represented by the directory object. It does require knowledge of the previous password, and thus it takes the old and new passwords as arguments.

Since the DirectoryEntry object does not directly expose the IADsUser ADSI interface, this is one case where we must use the DirectoryEntry.Invoke method to call these ADSI methods via late-bound reflection:

//given a DirectoryEntry "entry" 
//that points to a user object
//this will reset the user’s password
entry.Invoke("SetPassword", 
  new object[] {"newpassword"});
 
//this will change the user’s password
entry.Invoke("ChangePassword", 
  new object[] {"oldpassword", "newpassword"});

Note that the parameters to the SetPassword and ChangePassword methods are passed in as an array of objects that contain strings.