Forgot Password

0

I am trying to create a web application to reset the password based on question/answer using System.Web.Security API.

I get an exception:

DirectoryServicesCOMException (0x8007202f): A constraint violation occurred" if user provide one bad answer to the question.

If I reset value of attributeMapFailedPasswordAnswerCount to not set the account becomes active again.

Account Lockout threshold in AD is set to 20 logon attempts.

I am novice on AD knowledge and will be grateful if someone can guide me how to solve this problem.

Thank you.

c#
asp.net
active-directory
forgot-password
asked on Stack Overflow Jul 26, 2012 by user984201 • edited Dec 13, 2013 by OhadR

1 Answer

1

I'm guessing you're using ASP.NET? I don't really have any experience with it, nor do I have much experience with .NET in general (I'm still learning myself), but this was a really useful link providing examples of various Active Directory API's (link). Including resetting a user password. Here is a link to the DirectoryEntry class, if you aren't sure how to set it up (link). Plus, just browsing through the namespace documentation is very, very helpful (link). Probably the only thing I like about Microsoft is their good documentation.

I usually do something like this (in IronPython, so it will not translate directly to code you can use):

ou = System.DirectoryServices.DirectoryEntry("LDAP://ou=Users,dc=whatever,dc=something,dc=localetc")
search = System.DirectoryServices.DirectorySearcher(ou, "(samAccountName="+acc"+")", Array[str](["distinguishedName"]]))
result = search.FindAll() # note 1
if result.Count != 1:
    raise BadError
else:
    ent = System.DirectoryServices.DirectoryEntry(result[0].Properties["distinguishedName"][0])
    ent.Username = admin # note 2
    ent.Password = pwd
    ent.Invoke("SetPassword", Array[object](["newpassword!"]))
    ent.Properties["LockOutTime"].Value = 0
    ent.CommitChanges()

Notes:

  1. If this ever returns more than one result, you have issues.

  2. this and the password are only necessary if the account running this does not have permission to change the user. I run these on an unprivelaged account so I have to include my admin credentials in the script (don't worry, they aren't hardcoded)

Oh and you're account lockout threshold is quite high. I would suggest 3-5, depending on the aptitude of your users.

answered on Stack Overflow Jul 27, 2012 by Logan

User contributions licensed under CC BY-SA 3.0