Reputation: 2687
Changing Active Directory passwords always fails on password complexity
I'm trying to give my SharePoint 2010 users to change their AD passwords using the following C# on an application page (.aspx):
using (HostingEnvironment.Impersonate())
{
ctx = new PrincipalContext(ContextType.Domain);
user = UserPrincipal.FindByIdentity(ctx, IdentityType.SamAccountName, userName);
if (user != null)
{
user.ChangePassword(oldPw, newPw);
user.Save();
}
}
Which works fine on my development environment. On the production environment however, regardless of the new password and the password policy set in gpmc, I always get the following exception
System.DirectoryServices.AccountManagement.PasswordException: The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements. (Exception from HRESULT: 0x800708C5)
I've tried using the "old" method of:
directoryEntry.Invoke("ChangePassword", oldPassword, newPassword);
directoryEntry.Commit();
but that gives the same exception.
This has completely stumped me - the only possible reasons I can think of are that either the code needs to run on a box that is a DC (hence why it works on development but not production) or because SharePoint is configured slightly differently.
Upvotes: 2
Views: 2817
Answers (3)
Reputation: 3704
The complexity error is also returned if an attempt is made to change the password before the 'Password changeable' date has been reached (default: 24 hours after successful password change/reset).
Upvotes: 1
Reputation: 1118
Better late than never...
One of the following Microsoft patches released in December 2015, or the combination of them, contained a bug that would cause a spurrious throw of the above error, even though the password was actually changed successfully.
- Security Update KB3142024
- Security Update KB3156016
- Security Update KB3153171
- Security Update KB3156019
- Security Update KB3156013
- Security Update KB3153199
- Security Update KB3156017
MS has told our company that it is fixed by applying the applicable ones of these later patches:
- 3126587 https://support.microsoft.com/en-us/kb/3126587
- 3126593 https://support.microsoft.com/en-us/kb/3126593
- 3140410 https://support.microsoft.com/en-us/kb/3140410
- 3156417 https://support.microsoft.com/en-us/kb/3156417
The rather horrible alternative workaround is to record the user.LastPasswordSet() DateTime, put the password change in a try/catch for the specific error, and on catch, see if the user.LastPasswordSet() has changed... if it has, swallow the error. I refuse to post code for this horrible workaround.
Upvotes: 3
Reputation: 69
Be sure the password you are trying to set "meet the password policy requirements".
Password must meet complexity requirements Description This security setting determines whether passwords must meet complexity requirements. Complexity requirements are enforced when passwords are changed or created. If this policy is enabled, passwords must meet the following minimum requirements when they are changed or created: Passwords must not contain the user's entire samAccountName (Account Name) value or entire displayName (Full Name) value. Both checks are not case sensitive:
The samAccountName is checked in its entirety only to determine whether it is part of the password. If the samAccountName is less than three characters long, this check is skipped.
The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed not to be included in the password. Tokens that are less than three characters in length are ignored, and substrings of the tokens are not checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin," "M," and "Hagens." Because the second token is only one character long, it is ignored. Therefore, this user could not have a password that included either "erin" or "hagens" as a substring anywhere in the password.
Passwords must contain characters from three of the following five categories:
Uppercase characters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
Lowercase characters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
Base 10 digits (0 through 9)
Nonalphanumeric characters: ~!@#$%^&*_-+=`|(){}[]:;"'<>,.?/
Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages.
https://technet.microsoft.com/en-us/library/cc786468(v=ws.10).aspx
Upvotes: 0
Related Questions
- How to programmatically change Active Directory password
- set user password using c# in Active Directory fails
- Constraint violation when trying to set "User Cannot Change Password" in active directory from c#
- C#: code error while changing the active directory user's password
- UserPrincipal.ChangePassword Throwing PasswordException
- Error on Password Change Of Active Directory User
- "The specified network password is not correct." exception when changing a users password
- LDAP: Unable to Change Password
- Access Denied when changing password in AD programmatically
- Trying to change a password that "user must change" in AD through ASP.NET