Does anyone know how can I reset password for Active Directory in C#?
I wrote the following code to reset the password in Active Directory:
[WebMethod]
public static string ResetPassword(string test)
{
string userDn = "CN=Joe Bloggs,OU=Test Accounts,OU=ST IT,OU=Departments,OU=Internal,OU=Divisions,DC=thegroup,DC=com,DC=au";
string password = "!qwer12345";
DirectoryEntry uEntry = new DirectoryEntry(userDn);
uEntry.Invoke("SetPassword", new object[] { password });
uEntry.Properties["LockOutTime"].Value = 0; //unlock account
uEntry.Close();
return "hello";
}
When I run the code, an error displays when it reaches the line uEntry.Invoke("SetPassword", new object[] { password });
Does anyone know what's causing this issue and how I could fix it?
This seems to explain the cause of the issue- you need to supply admin credentials (username and password).
I would think it's a security issue - when you're running it locally
on Windows directly, it's being executed under your own account, which
most likely has enough privileges to create the user.
When you do it through the web service, you run it as the "anonymous"
ASP.NET user which by default most likely won't have the permissions
to do this.
So when you bind to AD, you will need to supply credentials (username
and password) that are sufficiently priviledged to be able to create
users. You can do this in the "new DirectoryEntry()" constructor -
check it's overloads.
Related
I am pretty new to C#
I have been using Powershell scripts to code things like Unlocking an AD user or Enabling/Disabling an account. however, I do this with a different account, so I will log in with the admin account (Get-Credential) and storing it as '$cred' for example.
I am currently trying to do a similar thing in C# and I have found how to effectively "Authenticate"
But I am not sure how to store that Authentication, or have my app Authenticated to do things with it like Disable or Unlock an AD Account.
I have this:
public bool ADauthenticate(string username, string password)
{
bool result = false;
using (DirectoryEntry _entry = new DirectoryEntry())
{
_entry.Username = username;
_entry.Password = password;
DirectorySearcher _searcher = new DirectorySearcher(_entry);
_searcher.Filter = "(objectclass=user)";
try
{
SearchResult _sr = _searcher.FindOne();
string _name = _sr.Properties["displayname"][0].ToString();
MessageBox.Show("authenticated!");
result = true;
this.Close();
}
catch
{
MessageBox.Show("Incorrect credentials");
this.ADUsername.Text = "";
this.ADPwd.Text = "";
}
}
return result; //true = user Authenticated.
}
Which just tells me that the account is correct of course, but doesn't keep my application "authenticated", any ideas?
It's not accurate to say that your "application" was authenticated. All that was authenticated is a single network connection to your domain controller. As soon as _entry is destroyed, you lose that authentication.
If you want everything to happen using those credentials, then you have several options, ranging from easy (for you) to more difficult:
Have your users run your application under the credentials they need. Then you don't need to bother getting their username and password or setting the username and password on the DirectoryEntry object. Users can do this by:
Using Shift + right-click on the application icon and click "Run as a different user", or
Create a shortcut to: runas.exe /user:DOMAIN\username "yourapplication.exe". This will open a command window asking for the password, then start your application under those credentials.
You still ask for the username and password, but restart your application under those credentials using Process.Start().
Keep the username and password variables alive for the life of the application and pass them to every DirectoryEntry object you create in your application.
Options 1 and 2 require the computer that you're running this from is joined to the same or trusted domain as the domain you are connecting to. But since I see you're not specifying the domain name, I'm guessing that's the case.
You can do this a lot easier by using the System.DirectoryServices.AccountManagement assembly and namespace.
Add a reference to the System.DirectoryServices.AccountManagement assembly to your project, and then use this code to validate username/password against AD:
using System.DirectoryServices.AccountManagement;
// create the principal context
using (PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "YourDomain"))
{
bool accountValidated = ctx.ValidateCredentials(userName, password);
// do whatever you want to do with this information
}
I'm creating a service to search for users in LDAP. This should be fairly straightforward and probably done a thousand times, but I cannot seem to break through properly. I thought I had it, but then I deployed this to IIS and it all fell apart.
The following is setup as environment variables:
ldapController
ldapPort
adminUsername 🡒 Definitely a different user than the error reports
adminPassword
baseDn
And read in through my Startup.Configure method.
EDIT I know they are available to IIS, because I returned them in a REST endpoint.
This is my code:
// Connect to LDAP
LdapConnection conn = new LdapConnection();
conn.Connect(ldapController, ldapPort);
conn.Bind(adminUsername, adminPassword);
// Run search
LdapSearchResults lsc = conn.Search(
baseDn,
LdapConnection.SCOPE_SUB,
lFilter,
new string[] { /* lots of attributes to fetch */ },
false
);
// List out entries
var entries = new List<UserDto>();
while (lsc.hasMore() && entries.Count < 10) {
LdapEntry ent = lsc.next(); // <--- THIS FAILS!
// ...
}
return entries;
As I said, when debugging this in visual studio, it all works fine. When deployed to IIS, the error is;
Login failed for user 'DOMAIN\IIS_SERVER$'
Why? The user specified in adminUsername should be the user used to login (through conn.Bind(adminUsername, adminPassword);), right? So why does it explode stating that the IIS user is the one doing the login?
EDIT I'm using Novell.Directory.Ldap.NETStandard
EDIT The 'user' specified in the error above, is actually NOT a user at all. It is the AD registered name of the computer running IIS... If that makes any difference at all.
UPDATE After consulting with colleagues, I set up a new application pool on IIS, and tried to run the application as a specified user instead of the default passthrough. Exactly the same error message regardless of which user I set.
Try going via Network credentials that allows you to specify domain:
var networkCredential = new NetworkCredential(userName, password, domain);
conn.Bind(networkCredential);
If that does not work, specify auth type basic (not sure that the default is) before the call to bind.
conn.AuthType = AuthType.Basic;
Is there a way to change a users password on a remote computer using WMI? I couldn't locate any resources on this.
I'd just like to add that we are not using active directory and I need to write my code in C#.
Well, these are VB Script examples in this Hey Scripting Guy column, but they should be translatable:
How do I change the local Administrator password for all the computers in an OU?
Set objOU = GetObject("LDAP://OU=Finance, DC=fabrikam, DC=com")
objOU.Filter = Array("Computer")
For Each objItem in objOU
strComputer = objItem.CN
Set objUser = GetObject("WinNT://" & strComputer & "/Administrator")
objUser.SetPassword("i5A2sj*!")
Next
The first part is AD based, but is just being used to find all of the machines in the domain. The second part (that does the actual remote password reset) doesn't rely on AD at all.
So, it's basically bind to WinNT://<ComputeName>/<UserName>, then call SetPassword().
And this other SO question on changing the local admin account password is already in C#:
public static void ResetPassword(string computerName, string username, string newPassword) {
DirectoryEntry directoryEntry = new DirectoryEntry(string.Format("WinNT://{0}/{1}", computerName, username));
directoryEntry.Invoke("SetPassword", newPassword);
}
I'm writing a function for a web app in ASP.NET where the client logs into the server machine, which is Windows authenticated against the local users on the server. The function I am writing resets the users password and emails them the new one. I do this like so:
String userPath = "WinNT://" + Environment.MachineName + "/" + username.Text;
DirectoryEntry de = new DirectoryEntry(userPath);
de.Invoke("SetPassword", new object[] { password });
How can I also check the flag to force the user to change their password the next time they log in with the password emailed to them? I tried using pwdLastSet like so:
de.Properties["pwdLastSet"].Value = 0;
But this apparently only works with LDAP, not WinNT, and I am doing this locally.
Any experts know any better than me? I have even tried looking for a way to do this through the command line so that I can just create a Process, but I haven't been able to find a way to do it that way, either.
For WinNT, you must set the value to 1 rather than 0, and the property name is "PasswordExpired" rather than "pwdLastSet"; see http://msdn.microsoft.com/en-us/library/aa746542(VS.85).aspx
In other words, do this for WinNT:
de.Properties["PasswordExpired"].Value = 1;
(It is confusing, I know, but for LDAP you need to set the property "pwdLastSet" to 0. How's that for inconsistency!)
I want to run this function, or at least the bit that deletes the machine account from AD with different credentials:
public static void DeleteMachineAccount(String MachineName)
{
String MachineLdapPath = LdapPath(MachineName);
String OuLdapPath = MachineLdapPath.Replace("CN=" + MachineName + ",", "");
Console.WriteLine(MachineLdapPath);
Console.WriteLine(OuLdapPath);
if (DirectoryEntry.Exists(MachineLdapPath))
{
try
{
DirectoryEntry MachineOu = new DirectoryEntry(OuLdapPath);
DirectoryEntry MachineToDelete = new DirectoryEntry(MachineLdapPath);
MachineOu.Children.Remove(MachineToDelete);
MachineToDelete.CommitChanges();
}
catch (Exception e)
{
Console.WriteLine(e.Message.ToString());
}
}
}
(The LdapPath function just returns an LDAP path for the machine name specified.)
How / where do I specify some different credentials to allow this to run? At the moment I get access denied, as the account I am using will not have permission to do this.
Thanks,
Ben
You can use the overload of the DirectoryEntry class that provides authentication. This will cause your LDAP query to be run from the DirectoryServices with this particular user's permission. A word of caution, in order to do this you'll need to pass credentials (which would need to be stored or entered by the user), so be careful in how you handle them. Storing them in plain text may cause system security problems.
New DirectoryEntry(ldapRoot, _activeDirectoryUsername, _activeDirectoryPassword);
You need to use impersonation. The easiest way to do this is to actually "borrow" the permission of whoever called this method. e.g., if this is invoked from a named pipe or WCF call, there are built-in ways to impersonate the caller and do this on their behalf.