4

As the title suggests, I am having an issue regarding respecting the password policy when setting a users password, specifically, the password history restriction.

The scenario is a user password reset, when the user does not know his current password. I am using the following to accomplish this:

using (PrincipalContext context = new PrincipalContext(ContextType.Domain, "XXXX", "ADMINUSER", "ADMINPASSWORD")) {
    using (UserPrincipal user = UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, username)) {
        user.SetPassword(password);
    }
}

This works against every policy MINUS the password history restriction.

Now take this scenario, when a user wants to change their password and knows their current password I am using:

using (PrincipalContext context = new PrincipalContext(ContextType.Domain, "XXXX.XXX.com")) {
    using (UserPrincipal user = UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, username)) {
        user.ChangePassword(currentPassword, newPassword);
    }
}

... which works as expected, and validates against all password policy restrictions.

Has anyone ever had to deal this?

Cheers :)

4

3 回答 3

5

This is by design, as far as I have used it. The SetPassword is intented to act like an admin who resets user password - the complexity policy holds but there are no restrictions on the history. Suppose admin resets your password, sees "can't set the same password" - one of your passwords is compromised.

Our workaround was to allow the management to go through one of our web subsystems only and persist the history of hashes so that the responsibility to verify the history was put on the custom subsystem rather than the ad.

于 2013-07-05T19:00:33.360 回答
1

我知道这是一篇旧帖子,但我们从未找到可接受的答案。我们的系统人员不喜欢为历史存储我们自己的哈希值的想法。我们最终实现了这样的解决方案:

using (PrincipalContext context = new PrincipalContext(ContextType.Domain, 
        "XXXX","ADMINUSER", "ADMINPASSWORD"))
{
    using (UserPrincipal user = 
        UserPrincipal.FindByIdentity(context,IdentityType.SamAccountName, username)) 
    {
        string tempPassword = Guid.NewGuid().ToString();
        user.SetPassword(tempPassword);
        user.ChangePassword(tempPassword, password);
    }
}

我们将人的密码重置为我们的代码知道的足够长且复杂的随机密码。然后,我们使用用户输入的新密码在更改过程中将该密码用作旧密码。如果该过程未能通过包括密码历史记录在内的策略检查,我们将该错误传递回最终用户,他们必须重试.

于 2020-02-27T15:07:43.053 回答
0

如果通过 FindByIdentify 找不到用户名,您可能还想先检查它是否为空!

using (PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "XXXX.XXX.com")) {
    using (UserPrincipal user = UserPrincipal.FindByIdentity(ctx, IdentityType.SamAccountName, username))
    {
        if (user != null)
        {
            user.ChangePassword(currentPassword, newPassword);
        }
        else
        {
            throw new Exception(string.Format("Username not found: {0}", username));
        }
    }
}
于 2016-04-06T16:40:48.183 回答