asp.netc# A tutorial on manipulating AD to modify user passwords

Background

The title of this article is C # operations AD to modify the user password, in fact, in the Microsoft API does not modify the password method (I understand that the change password is required to enter the old password to verify), only the method of resetting the password. The code to reset the password might be as follows:

User. Invoke ("SetPassword", new object[] {newpassword});
User.commitchanges ();
This article mainly to talk about how to modify the password without providing the premise of the password modification, mainly to the old password verification.

Problems encountered

C # Verify that the password for an ad account is correct the usual way is to see if the new user entry object is reported to be abnormal, if there is no exception to explain the password is correct, the code is as follows:

using (user = new DirectoryEntry (ldapaddress, account, password, authenticationtypes.secure))
{
Object obj = user. NativeObject;
User. Close ();
}
Now if the user's password expires, or create a user when the "user must modify the next login password", call the above code even if the correct password will throw exception, the exception information is "" User name or password is not correct, so you can not verify the old password. Through the analysis of abnormal information finally found a solution.

Problem solving

As described above, there are four different scenarios:

Password expired, the correct password entered when checking;
Password expired, error password entered at checksum;
Check the "Next login must modify the password", check the correct password input;
Checked the "Next login must modify password", the checksum entered the wrong password.
The code to take exception information is as follows:

catch (Exception ex)
{
String extenderror =
((System.DirectoryServices.DirectoryServicesCOMException) (ex)). Extendederrormessage;
if (Extenderror.contains ("Data 773") | | Extenderror.contains ("Data 532"))
{
result = adloginresult.success;
}
Else
{
ErrMsg = ex. Message + "Please contact admin!" ";
}
}
For the above four kinds of cases, the resulting exception information is as follows:

The next login must change the password, the correct password

8009030C:LDAPERR:DSID-0C0904DC, comment:acceptsecuritycontext error, data 773, V1DB1

The next login must modify the password, the wrong password

8009030C:LDAPERR:DSID-0C0904DC, comment:acceptsecuritycontext error, data 52e, V1DB1

Password expired, correct password

8009030C:LDAPERR:DSID-0C0904DC, comment:acceptsecuritycontext error, data 532, V1DB1

Password expired, bad password

8009030C:LDAPERR:DSID-0C0904DC, comment:acceptsecuritycontext error, data 52e, V1DB1
As you can see, when the password is wrong, the error message returned by data 52e, you can be based on this difference in the exception information for the old password of the checksum.

Summarize

This article is not found in the official relevant methods after a kind of helpless, it is extremely not elegant, but can solve the problem. If you have a better way, look in the comments and tell.