Creating a User and setting password with .NET where a minimum length password policy exists

[Paul Gallagher]

We are having a problem creating an Active Directory USer (DirectoryEntry) programmatically using the .NET framework 1.1

In our development environment we are able to bind to AD using LDAP and create a new directory entry. We comit this and the DirectoryEntry is created using a blank password as shown below:

DirectoryEntry user = users.Add("CN=" + myUsername, "user");

user.Properties["samAccountName"].Add(username); // Login name
user.Properties["givenName"].Add(FirstName); // First Name
user.Properties["sn"].Add(LastName); // Last Name

...other properties...

user.CommitChanges();

We are then able to Invoke SetPassword method to change the password.

Unfortunately this will not work in production since a password policy with a minimum password length is in force. It is not possible to create an Active Directory user with a blank password.

The following error is thrown in this case:

The server is unwilling to process the request.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Runtime.InteropServices.COMException: The server is unwilling to process the request.

If we try and set the password property as follows:


DirectoryEntry user = users.Add("CN=" + myUsername, "user");

user.Properties["samAccountName"].Add(username); // Login name
user.Properties["givenName"].Add(FirstName); // First Name
user.Properties["sn"].Add(LastName); // Last Name

...other properties...

user.Properties["userPassword"].Add(Mypassword);

user.CommitChanges();


The password is till not set and therefore fails in an environment with a minium length password policy in place.

How we can create a DirectoryEntry where a minimum length password policy exists?

 

[Joe Kaplan \(MVP - ADSI\)]

Generally, you want to do it like this:

Create the object and CommitChanges
Then, call SetPassword and CommitChanges
Then, set userAccountControl to enable the object and call CommitChanges one
last time.

Joe K.

 

[Marc Scheuner]

In our development environment we are able to bind to AD using LDAP and create a new directory entry.

We comit this and the DirectoryEntry is created using a blank password as shown below:
We are then able to Invoke SetPassword method to change the password.
Unfortunately this will not work in production since a password policy with a minimum password length
is in force. It is not possible to create an Active Directory user with a blank password.

Steps:

1) Create the user with the "ADS_UF_PASSWD_NOTREQD" flag (password not
required) being set to the "userAccountControl" flag of the user
object. This *should* work even in your production environment.

2) Then set the user's password to match the minimum length and
complexity requirements (.SetPassword)

3) Then update the user object again, to enable it (remove the
ADS_UF_ACCOUNTDISABLE flag), and to require a password for it (remove
the ADS_UF_PASSWD_NOTREQD flag).

Now you should have a user account, freshly created, enabled, and with
a password.

Marc

________________________________________________________________
Marc Scheuner ** mscheuner -at- mvps.org ** http://adsi.mvps.org
Microsoft MVP for Directory Services Programming
http://www.dirteam.com/blogs/mscheuner/default.aspx
Come see http://groups.yahoo.com/group/ADSIANDDirectoryServices/

 

[Guest]

Hi!!

I developed a C# aplication to create users in active directory and el
following code create a user and a mailbox.

NewUser.Properties["userPrincipalName"].Value = userName+"@pruebas.es";
NewUser.Properties["name"].Value = name;
NewUser.Properties["samAccountName"].Value = userName;
NewUser.Properties["description"].Value=description;
NewUser.Properties["pwdLastSet"].Value = -1;
NewUser.Properties["givenName"].Value=name;
NewUser.CommitChanges();

NewUser.Invoke("ChangePassword", new object[] {"",password});
NewUser.CommitChanges();

NewUser.Properties["userAccountControl"].Value=0x200;
NewUser.CommitChanges();

CDOEXM.IMailboxStore mailbox;
mailbox = (IMailboxStore)NewUser.NativeObject;
mailbox.CreateMailbox(homeMDB);
NewUser.CommitChanges();

The problem is that now I'm testing this code in other domain control and
it's doesn't work!!!
My question is, my code is correct? or can be a problem of the domain
controler? (permissions...)

Thanks in advance

"Marc Scheuner" escribió:

 

[Joe Kaplan \(MVP - ADSI\)]

You should use SetPassword for creating an initial password. Otherwise,
what isn't working? What exception do you get?

Joe K.

Hi!!

I developed a C# aplication to create users in active directory and el
following code create a user and a mailbox.

NewUser.Properties["userPrincipalName"].Value = userName+"@pruebas.es";
NewUser.Properties["name"].Value = name;
NewUser.Properties["samAccountName"].Value = userName;
NewUser.Properties["description"].Value=description;
NewUser.Properties["pwdLastSet"].Value = -1;
NewUser.Properties["givenName"].Value=name;
NewUser.CommitChanges();

NewUser.Invoke("ChangePassword", new object[] {"",password});
NewUser.CommitChanges();

NewUser.Properties["userAccountControl"].Value=0x200;
NewUser.CommitChanges();

CDOEXM.IMailboxStore mailbox;
mailbox = (IMailboxStore)NewUser.NativeObject;
mailbox.CreateMailbox(homeMDB);
NewUser.CommitChanges();

The problem is that now I'm testing this code in other domain control and
it's doesn't work!!!
My question is, my code is correct? or can be a problem of the domain
controler? (permissions...)

Thanks in advance

"Marc Scheuner" escribió:

In our development environment we are able to bind to AD using LDAP and create a new directory entry.

Steps:

1) Create the user with the "ADS_UF_PASSWD_NOTREQD" flag (password not
required) being set to the "userAccountControl" flag of the user
object. This *should* work even in your production environment.

2) Then set the user's password to match the minimum length and
complexity requirements (.SetPassword)

3) Then update the user object again, to enable it (remove the
ADS_UF_ACCOUNTDISABLE flag), and to require a password for it (remove
the ADS_UF_PASSWD_NOTREQD flag).

Now you should have a user account, freshly created, enabled, and with
a password.

Marc

________________________________________________________________
Marc Scheuner ** mscheuner -at- mvps.org ** http://adsi.mvps.org
Microsoft MVP for Directory Services Programming
http://www.dirteam.com/blogs/mscheuner/default.aspx
Come see http://groups.yahoo.com/group/ADSIANDDirectoryServices/

 

[Guest]

Hi!!

I got several exceptions.
1-When I use
NewUser.Invoke("SetPassword", new object[] {password});
2-When I use
NewUser.Properties["userAccountControl"].Value=0x200;
3-When I try to create the mailbox

The exceptions:
1-It can not found net path
2-The domain is busy or it can be found or you can not enought privileges
3-Specified cast is not valid (when I ty to create the mailbox)

Otherwise I can use Setpassword, it never worked, but if I use
ChangePassword it worked!!
I don't know what can I do, because this code worked in the development
enviroment!!

Thanks

You should use SetPassword for creating an initial password. Otherwise,
what isn't working? What exception do you get?

Joe K.

Hi!!

I developed a C# aplication to create users in active directory and el
following code create a user and a mailbox.

NewUser.Properties["userPrincipalName"].Value = userName+"@pruebas.es";
NewUser.Properties["name"].Value = name;
NewUser.Properties["samAccountName"].Value = userName;
NewUser.Properties["description"].Value=description;
NewUser.Properties["pwdLastSet"].Value = -1;
NewUser.Properties["givenName"].Value=name;
NewUser.CommitChanges();

NewUser.Invoke("ChangePassword", new object[] {"",password});
NewUser.CommitChanges();

NewUser.Properties["userAccountControl"].Value=0x200;
NewUser.CommitChanges();

CDOEXM.IMailboxStore mailbox;
mailbox = (IMailboxStore)NewUser.NativeObject;
mailbox.CreateMailbox(homeMDB);
NewUser.CommitChanges();

The problem is that now I'm testing this code in other domain control and
it's doesn't work!!!
My question is, my code is correct? or can be a problem of the domain
controler? (permissions...)

Thanks in advance

"Marc Scheuner" escribió:

In our development environment we are able to bind to AD using LDAP and create a new directory entry.
We comit this and the DirectoryEntry is created using a blank password
as shown below:
We are then able to Invoke SetPassword method to change the password.
Unfortunately this will not work in production since a password policy
with a minimum password length
is in force. It is not possible to create an Active Directory user with
a blank password.

Steps:

1) Create the user with the "ADS_UF_PASSWD_NOTREQD" flag (password not
required) being set to the "userAccountControl" flag of the user
object. This *should* work even in your production environment.

2) Then set the user's password to match the minimum length and
complexity requirements (.SetPassword)

3) Then update the user object again, to enable it (remove the
ADS_UF_ACCOUNTDISABLE flag), and to require a password for it (remove
the ADS_UF_PASSWD_NOTREQD flag).

Now you should have a user account, freshly created, enabled, and with
a password.

Marc

________________________________________________________________
Marc Scheuner ** mscheuner -at- mvps.org ** http://adsi.mvps.org
Microsoft MVP for Directory Services Programming
http://www.dirteam.com/blogs/mscheuner/default.aspx
Come see http://groups.yahoo.com/group/ADSIANDDirectoryServices/

 

[Joe Kaplan \(MVP - ADSI\)]

SetPassword should work. I'd suggest concentrating on getting that working.
Just out of curiosity, does your domain support SSL (can you bind with
AuthenticationTypes.SecureSocketsLayer)?

Regarding setting userAccountControl, that should work too. If you are
getting permissions errors, are you sure you have enough rights?

Regarding the mailbox creation, did you install the Exchange System Manager
on the system?

Joe K.

Hi!!

I got several exceptions.
1-When I use
NewUser.Invoke("SetPassword", new object[] {password});
2-When I use
NewUser.Properties["userAccountControl"].Value=0x200;
3-When I try to create the mailbox

The exceptions:
1-It can not found net path
2-The domain is busy or it can be found or you can not enought privileges
3-Specified cast is not valid (when I ty to create the mailbox)

Otherwise I can use Setpassword, it never worked, but if I use
ChangePassword it worked!!
I don't know what can I do, because this code worked in the development
enviroment!!

Thanks

You should use SetPassword for creating an initial password. Otherwise,
what isn't working? What exception do you get?

Joe K.

Hi!!

I developed a C# aplication to create users in active directory and el
following code create a user and a mailbox.

NewUser.Properties["userPrincipalName"].Value = userName+"@pruebas.es";
NewUser.Properties["name"].Value = name;
NewUser.Properties["samAccountName"].Value = userName;
NewUser.Properties["description"].Value=description;
NewUser.Properties["pwdLastSet"].Value = -1;
NewUser.Properties["givenName"].Value=name;
NewUser.CommitChanges();

NewUser.Invoke("ChangePassword", new object[] {"",password});
NewUser.CommitChanges();

NewUser.Properties["userAccountControl"].Value=0x200;
NewUser.CommitChanges();

CDOEXM.IMailboxStore mailbox;
mailbox = (IMailboxStore)NewUser.NativeObject;
mailbox.CreateMailbox(homeMDB);
NewUser.CommitChanges();

The problem is that now I'm testing this code in other domain control
and
it's doesn't work!!!
My question is, my code is correct? or can be a problem of the domain
controler? (permissions...)

Thanks in advance

"Marc Scheuner" escribió:
In our development environment we are able to bind to AD using LDAP
and
create a new directory entry.
We comit this and the DirectoryEntry is created using a blank
password
as shown below:
We are then able to Invoke SetPassword method to change the password.
Unfortunately this will not work in production since a password
policy
with a minimum password length
is in force. It is not possible to create an Active Directory user
with
a blank password.

Steps:

1) Create the user with the "ADS_UF_PASSWD_NOTREQD" flag (password not
required) being set to the "userAccountControl" flag of the user
object. This *should* work even in your production environment.

2) Then set the user's password to match the minimum length and
complexity requirements (.SetPassword)

3) Then update the user object again, to enable it (remove the
ADS_UF_ACCOUNTDISABLE flag), and to require a password for it (remove
the ADS_UF_PASSWD_NOTREQD flag).

Now you should have a user account, freshly created, enabled, and with
a password.

Marc

________________________________________________________________
Marc Scheuner ** mscheuner -at- mvps.org ** http://adsi.mvps.org
Microsoft MVP for Directory Services Programming
http://www.dirteam.com/blogs/mscheuner/default.aspx
Come see http://groups.yahoo.com/group/ADSIANDDirectoryServices/

 

[Guest]

Hi Joe!!

I'm trying to run my code in the domain controler and it's worked, except
create mailbox, but I've seen that it has not install exchange tools!! and
the error is "specifid cast is not valid". If I try to run the code since a
client in other domain (there are trush between domains) I obtain the
following exception "The server is unwilling to process your request" when I
invoke to SetPassword. I think is a problem with permissions! What do you
think?

Thanks in advance!


"Joe Kaplan (MVP - ADSI)" escribió:

SetPassword should work. I'd suggest concentrating on getting that working.
Just out of curiosity, does your domain support SSL (can you bind with
AuthenticationTypes.SecureSocketsLayer)?

Regarding setting userAccountControl, that should work too. If you are
getting permissions errors, are you sure you have enough rights?

Regarding the mailbox creation, did you install the Exchange System Manager
on the system?

Joe K.

Hi!!

I got several exceptions.
1-When I use
NewUser.Invoke("SetPassword", new object[] {password});
2-When I use
NewUser.Properties["userAccountControl"].Value=0x200;
3-When I try to create the mailbox

The exceptions:
1-It can not found net path
2-The domain is busy or it can be found or you can not enought privileges
3-Specified cast is not valid (when I ty to create the mailbox)

Otherwise I can use Setpassword, it never worked, but if I use
ChangePassword it worked!!
I don't know what can I do, because this code worked in the development
enviroment!!

Thanks

You should use SetPassword for creating an initial password. Otherwise,
what isn't working? What exception do you get?

Joe K.

Hi!!

I developed a C# aplication to create users in active directory and el
following code create a user and a mailbox.

NewUser.Properties["userPrincipalName"].Value = userName+"@pruebas.es";
NewUser.Properties["name"].Value = name;
NewUser.Properties["samAccountName"].Value = userName;
NewUser.Properties["description"].Value=description;
NewUser.Properties["pwdLastSet"].Value = -1;
NewUser.Properties["givenName"].Value=name;
NewUser.CommitChanges();

NewUser.Invoke("ChangePassword", new object[] {"",password});
NewUser.CommitChanges();

NewUser.Properties["userAccountControl"].Value=0x200;
NewUser.CommitChanges();

CDOEXM.IMailboxStore mailbox;
mailbox = (IMailboxStore)NewUser.NativeObject;
mailbox.CreateMailbox(homeMDB);
NewUser.CommitChanges();

The problem is that now I'm testing this code in other domain control
and
it's doesn't work!!!
My question is, my code is correct? or can be a problem of the domain
controler? (permissions...)

Thanks in advance

"Marc Scheuner" escribió:
In our development environment we are able to bind to AD using LDAP
and
create a new directory entry.
We comit this and the DirectoryEntry is created using a blank
password
as shown below:
We are then able to Invoke SetPassword method to change the password.
Unfortunately this will not work in production since a password
policy
with a minimum password length
is in force. It is not possible to create an Active Directory user
with
a blank password.

Steps:

1) Create the user with the "ADS_UF_PASSWD_NOTREQD" flag (password not
required) being set to the "userAccountControl" flag of the user
object. This *should* work even in your production environment.

2) Then set the user's password to match the minimum length and
complexity requirements (.SetPassword)

3) Then update the user object again, to enable it (remove the
ADS_UF_ACCOUNTDISABLE flag), and to require a password for it (remove
the ADS_UF_PASSWD_NOTREQD flag).

Now you should have a user account, freshly created, enabled, and with
a password.

Marc

________________________________________________________________
Marc Scheuner ** mscheuner -at- mvps.org ** http://adsi.mvps.org
Microsoft MVP for Directory Services Programming
http://www.dirteam.com/blogs/mscheuner/default.aspx
Come see http://groups.yahoo.com/group/ADSIANDDirectoryServices/

 

[Joe Kaplan \(MVP - ADSI\)]

"Unwilling to process" on a password change usually means that an SSL/LDAP
connection could not be established with the other domain, although there
are other potential reasons I think.

Can you connect to the other domain over SSL/port 636 using ldp.exe?

You definitely need the Exchange System Manager tools installed to use
CDOEXM.

Joe K.

Hi Joe!!

I'm trying to run my code in the domain controler and it's worked, except
create mailbox, but I've seen that it has not install exchange tools!! and
the error is "specifid cast is not valid". If I try to run the code since
a
client in other domain (there are trush between domains) I obtain the
following exception "The server is unwilling to process your request" when
I
invoke to SetPassword. I think is a problem with permissions! What do you
think?

Thanks in advance!


"Joe Kaplan (MVP - ADSI)" escribió:

SetPassword should work. I'd suggest concentrating on getting that
working.
Just out of curiosity, does your domain support SSL (can you bind with
AuthenticationTypes.SecureSocketsLayer)?

Regarding setting userAccountControl, that should work too. If you are
getting permissions errors, are you sure you have enough rights?

Regarding the mailbox creation, did you install the Exchange System
Manager
on the system?

Joe K.

Hi!!

I got several exceptions.
1-When I use
NewUser.Invoke("SetPassword", new object[] {password});
2-When I use
NewUser.Properties["userAccountControl"].Value=0x200;
3-When I try to create the mailbox

The exceptions:
1-It can not found net path
2-The domain is busy or it can be found or you can not enought
privileges
3-Specified cast is not valid (when I ty to create the mailbox)

Otherwise I can use Setpassword, it never worked, but if I use
ChangePassword it worked!!
I don't know what can I do, because this code worked in the development
enviroment!!

Thanks



:

You should use SetPassword for creating an initial password.
Otherwise,
what isn't working? What exception do you get?

Joe K.

Hi!!

I developed a C# aplication to create users in active directory and
el
following code create a user and a mailbox.

NewUser.Properties["userPrincipalName"].Value =
userName+"@pruebas.es";
NewUser.Properties["name"].Value = name;
NewUser.Properties["samAccountName"].Value = userName;
NewUser.Properties["description"].Value=description;
NewUser.Properties["pwdLastSet"].Value = -1;
NewUser.Properties["givenName"].Value=name;
NewUser.CommitChanges();

NewUser.Invoke("ChangePassword", new object[] {"",password});
NewUser.CommitChanges();

NewUser.Properties["userAccountControl"].Value=0x200;
NewUser.CommitChanges();

CDOEXM.IMailboxStore mailbox;
mailbox = (IMailboxStore)NewUser.NativeObject;
mailbox.CreateMailbox(homeMDB);
NewUser.CommitChanges();

The problem is that now I'm testing this code in other domain
control
and
it's doesn't work!!!
My question is, my code is correct? or can be a problem of the
domain
controler? (permissions...)

Thanks in advance

"Marc Scheuner" escribió:
In our development environment we are able to bind to AD using LDAP
and
create a new directory entry.
We comit this and the DirectoryEntry is created using a blank
password
as shown below:
We are then able to Invoke SetPassword method to change the
password.
Unfortunately this will not work in production since a password
policy
with a minimum password length
is in force. It is not possible to create an Active Directory user
with
a blank password.

Steps:

1) Create the user with the "ADS_UF_PASSWD_NOTREQD" flag (password
not
required) being set to the "userAccountControl" flag of the user
object. This *should* work even in your production environment.

2) Then set the user's password to match the minimum length and
complexity requirements (.SetPassword)

3) Then update the user object again, to enable it (remove the
ADS_UF_ACCOUNTDISABLE flag), and to require a password for it
(remove
the ADS_UF_PASSWD_NOTREQD flag).

Now you should have a user account, freshly created, enabled, and
with
a password.

Marc

________________________________________________________________
Marc Scheuner ** mscheuner -at- mvps.org ** http://adsi.mvps.org
Microsoft MVP for Directory Services Programming
http://www.dirteam.com/blogs/mscheuner/default.aspx
Come see http://groups.yahoo.com/group/ADSIANDDirectoryServices/