Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

How can I detect "user must change password on next login" In .NET?

23 views
Skip to first unread message

Ross Pellegrino

unread,
Jun 6, 2004, 2:18:39 AM6/6/04
to
Hi,

Is there a way to detect that a user must change their password on their
next login?

I tried to authenticate the user but it fails and the exception that I get
back doesn't really help. I analyzied the exception strace stack and all it
says is that the login failed.

I also tried to login as and adminstrator then did a search on the user
object, but can't seem to find any noticable information that might give me
some indication that this user must change password on their next login.

Sorry for being so new to this. Any help would be appreciated.

Thanks in advance
Ross


Joe Kaplan (MVP - ADSI)

unread,
Jun 7, 2004, 12:54:08 AM6/7/04
to
You would need to bind with credentials that are known good and check
pwdLastSet to see if it is 0.

The issue is whether knowing this helps you or not. You can't bind with the
user's credentials when they are in that state, so knowing might not help
(unless you just want to provide more useful feedback).

Joe K.

"Ross Pellegrino" <ross_pe...@hotmail.com> wrote in message
news:ODqkc44S...@tk2msftngp13.phx.gbl...

Joe Richards [MVP]

unread,
Jun 7, 2004, 10:06:27 AM6/7/04
to
Note that if the user has expired due to time expired this won't catch it as
pwdLastSet will have a valid int8 value indicating the last password change, it
will simply be to old compared to the password aging policy.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net

Ross Pellegrino

unread,
Jun 7, 2004, 10:35:59 AM6/7/04
to
Thanks Joe,

This is useful. I have one question. If the user account is set to "must
change password on next login" can I bind to the object using their
credential? If not, can you tell me if my work around makes sence?

I would login to AD with some valid credentials.
Find the User object check for pwdLastSet to see if it is 0.
If set to 0 then force the user to provide old and new passwords and update
the User object with new password.
On behalf of the user, I would re-login to AD

Thanks
Ross


"Joe Kaplan (MVP - ADSI)" <joseph....@removethis.accenture.com> wrote
in message news:OaOzHuET...@tk2msftngp13.phx.gbl...

Joe Kaplan (MVP - ADSI)

unread,
Jun 7, 2004, 11:19:44 AM6/7/04
to
I'm pretty sure you can't bind if they are in that state. Thus the flaw
would be that you have no way to verify that the old password the specified
is valid, which might allow a hacker to reset someone's password if they
were in that state. Remember that an LDAP bind does not constitute a login
to Windows/AD.

I'd like to know a good strategy to deal with this as well, but I don't know
of one with pure LDAP. Maybe someone else has an idea.

Joe K.

"Ross Pellegrino" <ross_pe...@hotmail.com> wrote in message

news:OSyiBzJT...@TK2MSFTNGP10.phx.gbl...

Joe Kaplan (MVP - ADSI)

unread,
Jun 7, 2004, 11:22:43 AM6/7/04
to
Yep, you'd have to check for that as well by comparing the pwdLastSet date
to the current password policy.

Joe R. (while you are pitching in on this thread), do you know of an LDAP
way to get a user to bind and change passwords if they have pwdLastSet = 0?
How does Windows deal with this?

Joe K.

"Joe Richards [MVP]" <humore...@hotmail.com> wrote in message
news:ubn8WhJT...@TK2MSFTNGP09.phx.gbl...

0 new messages