I need to reset a user password. to do so, I use the following code:
DirectoryEntry de = ..
de.AuthenticationType = AuthenticationType.Secure
de.Password = txtPassword.text
de.CommitChanges()
When i run the code - nothing happens. The user password does not change, and no exception is thrown.
if i use the following method:
de.Invoke("SetPassword", .. );
when i run the code, I get a message that says: Please insert smartcard ...
I have admin privilages over the user account.
The user does not have UAV set for smart card.
Any ideas ?
The Password property of the DirectoryEntry class isn't what you think it is. You're not changing the user's password, you're changing the password you're using to access further information from the DirectoryEntry object.
From the MSDN documentation:
You can set the Username and Password properties to specify alternate
credentials with which to access the information in Active Directory
Domain Services. Any other DirectoryEntry objects retrieved from this
instance (for example, through Children) are automatically created
with the same alternate credentials.
With your second method, if you're being asked to insert a smartcard I doubt that has anything to do with the user you're modifying - it's more likely it's asking for your smartcard. If you're not set up to use smartcards either, then I'm really not sure why it's asking you for one at all.
Take a look at this related question and see if the answers there help.
Related
Using WPF & C#, I can set all the attributes in Active Directory, but can't do the following :
1) Can't Set User Password
2) Can't Enable User
However, I can do the same thing manually!
Approach Tried:
1.
DirectoryEntry directoryEntry=
directoryEntry.Invoke("SetPassword", new object[] {myPass#x6712}); // To set password
directoryEntry.Properties["userAcountControl"].Value=0x0200; //To Enable User
2.
DirectoryEntry uEntry = new DirectoryEntry(userDn);
uEntry.Invoke("SetPassword", new object[] { password });
uEntry.Properties["LockOutTime"].Value = 0; //unlock account
3.
using (var context = new PrincipalContext( ContextType.Domain ))
{
using (var user = UserPrincipal.FindByIdentity( context, IdentityType.SamAccountName, userName ))
{
user.SetPassword( "newpassword" );
// or
user.ChangePassword( "oldPassword", "newpassword" );
user.Save();
}
}
ERROR ON PASSWORD SET: Exception has been thrown by the target invocation.
ERROR ON ENABLE USER: Access is denied.
NOTE: I'm using a Domain Admin User.
The program gives the exception in these above lines.
Please, Advice! Thanks in Advance !!
Maybe this is just a mistake in your question, but the code you show in your first example wouldn't compile because the password is not in quotes. It should be:
directoryEntry.Invoke("SetPassword", new object[] {"myPass#x6712"});
That code invokes IADsUser.SetPassword. The 'Remarks' in the documentation point to some prerequisites for it to work, namely, that it must be a secure connection. So it may have failed in setting up a secure connection. It would usually try Kerberos to do that, so something might have gone wrong there.
You can try specifically connecting via LDAPS (LDAP over SSL) by pointing it at port 636 (new DirectoryEntry("LDAP://example.com:636/CN=whatever,DC=example,DC=com")), but that requires that you trust the certificate that is served up. Sometimes it's a self-signed cert, so you would need to add the cert to the trusted certs on whichever computer you run this from.
Or, the account you are running it with does not have the 'Reset Password' permission on the account.
For enabling, the userAccountControl attribute is a bit flag, so you don't want to set it to 2, mostly because 2 (or more accurately, the second bit) means that it's disabled. So you want to unset the second bit. You would do that like this:
directoryEntry.Properties["userAcountControl"].Value =
(int) directoryEntry.Properties["userAcountControl"].Value & ~2;
Most of the time that will result in a value of 512 (NORMAL_ACCOUNT), but not necessarily. The account could have other bits set that you don't want to inadvertently unset.
You also need to call .CommitChanges() for the changes to userAcountControl to take effect:
directoryEntry.CommitChanges();
I have a system that creates, in realtime, an user in AD and prints a tag for credentials. That user is used by a person to navigate in the internet.
Everything was ok until now. That user cannot log on company's computer, only on the proxy servers.
In class UserPrincipal, we have the "PermittedWorkstations" property, but it is readonly.
Is there a way to set the PermittedWorkstations (or set the computers restrictions os the users, adding the computers that he is able to logon - like this image http://i.stack.imgur.com/tu2Kp.png)?
As DeFirmo already mentioned: it is unlikely that the problem will be solved by setting the "Permitted Workstation", but nevertheless:
Use direct ADSI commands, the following works for me:
using System.DirectoryServices;
....
using (DirectoryEntry de = new DirectoryEntry("LDAP://CN=NewlyCreatedUser,CN=Users,DC=ad,DC=local"))
{
de.Properties["userWorkstations"].Add("WS1,WS2");
de.CommitChanges();
}
You must use the Add method of PermittedWorkstations Of User.Principal
User.PermittedWorkstations.Add("SampleWorkstation"));
I'm working on a project where the client wants to restrict some content to only Active Directory users . Is there any way to identify that a SPUser is an AD user short of parsing the username string for the domain (or something along those lines). Something like SPUser.IsADUser would be awesome.
Edit
This seems to work, but I'm not sure if this is reliable enough? For this use case, identifying that a user is a windows user is enough (there are no local system accounts)
SPUser user = SPContext.Current.Web.CurrentUser;
string userName = user.LoginName.Substring(user.LoginName.IndexOf('|') + 1);
SPPrincipalInfo info = SPUtility.ResolveWindowsPrincipal(SPContext.Current.Site.WebApplication, userName, SPPrincipalType.User, false);
if(info != null){
//THIS IS A WINDOWS ACCOUNT
}
In my experience it is much better to use audiences for this purpose. You then can easily trim any web part using "Audience" property. You can read about audiences here. Of course it will only work if you have user profile synchronization configured.
I am writing a small app that integrates with AD and will be listing users and allowing members of the site to edit certain fields of the users. These fields will be, first name, last name, display name and email.
When I run the following code I get an exception that says
The server is unwilling to process the request.
Please note that result is not null and contains the correct active directory user that I want to edit. Also note that result is of type SearchResult. Also note that the user I am using to connect to AD is the Administrative user.
DirectoryEntry entryToUpdate = result.GetDirectoryEntry();
entryToUpdate.Properties["cn"].Value = user.Name;
entryToUpdate.Properties["mail"].Value = user.Email;
entryToUpdate.Properties["sn"].Value = user.Surname;
entryToUpdate.Properties["displayName"].Value = user.DisplayName;
string username = user.Email.Substring(0, user.Email.IndexOf("#"));
entryToUpdate.Properties["sAMAccountName"].Value = username;
entryToUpdate.CommitChanges();
Any Ideas?
I believe
entryToUpdate.Properties["cn"].Value = user.Name;
is your Problem. Use givenName as first Name. "cn" is managed by the System.
Also:
If using Exchange, the Mail attribute is managed by it.
Consider the ramifications of modifing samAccountName. Users may not know how to log in, seperate Systems with pseudo SSO may not recognize them, the Login Name does not match the local Profile Name, etc.
I code in C# (ASP.NET) and am using Forms authentication.
I would like to know which is the best method to change a user password without using the asp:ChangePassword control.
I dont want to use the reset password method.
I just want to grab the password i have inside my textbox and replace it with my older password.
Please note that the PasswordFormat I use is passwordFormat="Hashed"
Some code snippets would be helpful
Edit:
In my web.config, I have set enablePasswordRetrieval="false"
I used the following method
var myUser = Membership.GetUser(userID);
bool isChangeSuccess = myUser.ChangePassword(
myUser.GetPassword(),
ActivateUserPasswordText.Text.Trim());
It gives me the error,
This Membership Provider has not been
configured to support password
retrieval.
What could be done to solve these issues?
I would really like my PasswordFormat to be hash itself.
Regards,
Naveen Jose
Got it solved. Thanks to my fellow developer.
var myUser = Membership.GetUser(userID);
bool isChangeSuccess = myUser.ChangePassword(
myUser.ResetPassword(),
ActivateUserPasswordText.Text.Trim());
Cant say I liked it much though.
I thought ResetPassword() would be returning a bool.
Assuming you are using the ASP.NET security thingies.
System.Web.Security.MembershipProvider.ChangePassword method
Only the Hash value for the passwords are usually stored by the asp.net membership provider, so it is not possible to retrieve the original password. It is possible to change this behavior by configuration, but it is not recommended.
Simply ask the user to enter the old password also while changing the password. You can use the old password entered by the user in the User.ChangePassword method and it should work fine.
This Membership Provider has not been configured to support password retrieval.
The above message is displayed because of your password format will be salt and so that you can't get the password of the user. If you want to do this change the password format and try again.
On the off chance someone is using the ApplicationUser and not the Membership - as I was because I did not want to set a Membership Provider - you can change the password this way:
Dim manager = New UserManager()
Dim userChange As ApplicationUser = manager.FindById(IDUser)
userChange.PasswordHash = manager.PasswordHasher.HashPassword(newPassword.Value)
Dim val As Object = manager.Update(userChange)
Hope this helps someone