SA Developer .NET

Hi Everyone

 I am attempting to write an application to reset a users ad password.

The code looks like this: 

public string resetPassword(string fullname)
        {
            directorySearcher = new DirectorySearcher(directoryEntry);

            //Set a filter for users using the supplied domainID
            directorySearcher.Filter = "(&(objectClass=user)(mail=" + email+ "))";

            result = directorySearcher.FindOne();
            string newPassword = "";

            Random rnd = new Random();

            PasswordGenerator makePassword = new PasswordGenerator(rnd, 8);

            newPassword = makePassword.Generate();

            result.GetDirectoryEntry().Invoke("setPassword", newPassword);

            directoryEntry.CommitChanges();

            //MessageBox.Show(" The user's password has been reset. ", "Password Reset Successful");

            return newPassword;
        }

 

This works for most users. However on specific users it throws an "Access Denied" error on the  "result.GetDirectoryEntry().Invoke("setPassword", newPassword);" line.

 I don't quite know why this would be, as we have tried impersonating the users themselves, as well as using credentials of a system account with (supposedly) enough credentials to reset all but domain admin passwords.

 

Please Help.

Thanks

G

 

---

--Gambit--

Give me a lever long enough and I shall move the world.

Does the user(s) exists?

Yes. There is no error finding the user on AD.

The found email address is then passed to this procedure, which attempts to reset the password.

 

---

--Gambit--

Give me a lever long enough and I shall move the world.

Or do they have something like roaming user profiles (the ones that don't want to change), and they are currently logged in?. If it is a roaming profile, that would make sense seeing as they need their data and settings at any place, and they possibly (I re-iterate possibly, taking a flyer here) can't afford to have their accounts changed while they are still logged in.

Just a thought

The H...............

---

The Question is the Answer, and the Answer is the Question!

I think Horatio might have a point.

We will ask the user to log off the domain and attempt to reset his password.

 

Besides this, is there anything else that I can try?

 

---

--Gambit--

Give me a lever long enough and I shall move the world.

No, not anything I can think of.

Maybe, just maybe, (I know you probably checked this already), but isn't it possible the user's password has been locked (the setting in AD that disallows users to change their password). Especially if you tried changing the password impersonated as the user, this would cause an "Access Denied" error.

Hope this helps,

Regards,

---

The Question is the Answer, and the Answer is the Question!

Hi guys

 Thought I'd post this incase anyone else is having a similar problem.

It was indeed a setting on the users ad profiles.

The checkbox 'allow inherit from parent' was unchecked for those users that failed.

 

---

--Gambit--

Give me a lever long enough and I shall move the world.