Trying to change a password that "user must change" in AD through ASP.NET

Question

If the account does not have "user must change at next login" checked, I can change the password.
However, if the box is checked, I get a bad password error when I try to access the user.

LogOnUser() returns the correct error code so I know the user must change their password.
As Joe Kaplan says here (back in 2004), I can't bind to the user to be able to change their passwords.

It's the same issue whether using AccountManagement/PrincipalContext or DirectoryEntry/DirectorySearcher.

Answer 1

I did this on a project at my last position. Rather than to try to bind to the user with their own credentials, we set up an AD account with only the rights to make the password change.

So, once you have the error code indicating that the user must change their password, ask for the new password, grab the user as admin, and make the change.

As I recall, we had to pass the admin username and password explicitly to make it work, rather than relying on the credentials the code was running under.

For security, we stored an encrypted copy of the limited admin username and password in the registry, and decrypted it when we were making the call.

Code will be something like this:

        PrincipalContext dc = new PrincipalContext(ContextType.Domain, 
            "www.yourdomain.com", "dc=yourdomain,dc=com", 
            ContextOptions.SimpleBind, "AdminUserName", "AdminPassword");
        UserPrincipal usr = UserPrincipal.FindByIdentity(dc, 
            "UserWhoNeedsPasswordChanged");
        usr.ChangePassword("oldPass", "newPass");