CODEWITHSUNDEEP
c#.netwindowsactive-directory
Ostati
Ostati

Reputation: 4741

Active Directory property "badPwdCount"

Problem: We've upgraded the AD server from 2003 to 2008 and due to some "bad code", where developer has coded in such a way that, he directly casts "badPwdCount" property value to INT and it blows up because of NULL value conversion - NULL reference exception - NULL cannot be converted to INT.

Bigger problem: We cannot do a deployment at this point because there are over 100 individual apps that depended on this change and we're looking for a least involved way of dealing with it for now.

Background: Now the way this "badPwdCount" property works is, that when user logs on to the domain, it will get set to zero, otherwise it's NULL. The problem is that none of these users are ever going to log on interactively because they're external and we authenticate them via API and they cannot log in using the API either..

Question: Does anyone know if this value is in the registry or somewhere, where I can get to it and set it to zero? Was also thinking of initiating a log in per user via a script, but wanted to gather other ideas too...

MSDN page for badPwdCount: http://msdn.microsoft.com/en-us/library/windows/desktop/ms675244(v=vs.85).aspx

Upvotes: 2

Views: 2553

Answers (1)

Ashigore
Ashigore

Reputation: 4678

Normally this would be easy, all you would need to do is update all the users in active directory and set the value to 0 if it is null. There are various ways you could do this, for example a script or code, or a bulk update tool.

In this case, badPwdCount is a special property that is not replicated (i.e. it is different for each domain controller) and so far as I can tell, there is no way to update it manually or by script, however, I think I have a solution for you.

You should be able to easily trigger a single failed login for every user in active directory against each domain controller, causing the value to be incremented.

Since you tagged your post with C#, here is some C# code that will do the trick for you:

using System.DirectoryServices.AccountManagement;
using System.DirectoryServices.ActiveDirectory;

...

using (Domain domain = Domain.GetComputerDomain())
{
    foreach (DomainController domainController in domain.DomainControllers)
    {
        using (PrincipalContext context = new PrincipalContext(ContextType.Domain, domainController.Name))
        using (UserPrincipal userPrincipal = new UserPrincipal(context))
        using (PrincipalSearcher searcher = new PrincipalSearcher(userPrincipal))
        using (PrincipalSearchResult<Principal> results = searcher.FindAll())
        {
            foreach (UserPrincipal user in results.OfType<UserPrincipal>())
            {
                context.ValidateCredentials(user.SamAccountName, "THEREISNOWAYTHISISTHECORRECTPASSWORD");
            }
        }
    }
}

PS. If this screws up your AD I take no responsibility for it!

Upvotes: 4

Related Questions