问题
As the title suggests, I am having an issue regarding respecting the password policy when setting a users password, specifically, the password history restriction.
The scenario is a user password reset, when the user does not know his current password. I am using the following to accomplish this:
using (PrincipalContext context = new PrincipalContext(ContextType.Domain, "XXXX", "ADMINUSER", "ADMINPASSWORD")) {
using (UserPrincipal user = UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, username)) {
user.SetPassword(password);
}
}
This works against every policy MINUS the password history restriction.
Now take this scenario, when a user wants to change their password and knows their current password I am using:
using (PrincipalContext context = new PrincipalContext(ContextType.Domain, "XXXX.XXX.com")) {
using (UserPrincipal user = UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, username)) {
user.ChangePassword(currentPassword, newPassword);
}
}
... which works as expected, and validates against all password policy restrictions.
Has anyone ever had to deal this?
Cheers :)
回答1:
This is by design, as far as I have used it. The SetPassword is intented to act like an admin who resets user password - the complexity policy holds but there are no restrictions on the history. Suppose admin resets your password, sees "can't set the same password" - one of your passwords is compromised.
Our workaround was to allow the management to go through one of our web subsystems only and persist the history of hashes so that the responsibility to verify the history was put on the custom subsystem rather than the ad.
回答2:
Incase the username is not found via the FindByIdentify, you may want to also check it for null first!
using (PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "XXXX.XXX.com")) {
using (UserPrincipal user = UserPrincipal.FindByIdentity(ctx, IdentityType.SamAccountName, username))
{
if (user != null)
{
user.ChangePassword(currentPassword, newPassword);
}
else
{
throw new Exception(string.Format("Username not found: {0}", username));
}
}
}
来源:https://stackoverflow.com/questions/17493571/directoryservices-userprincipal-setpassword-ignores-password-policy-password-hi