Solved

Synchronizing local domain password

Posted on 2004-08-04
12
2,280 Views
Last Modified: 2013-12-03
Hi,

we have an application where XP notebook and XP workstation users could change their domain password (and all other associated passwords). The application sends the password change request to a server program and that does the global password change. However, the local domain account still has the old password. To get the local password changed also, we are locking the screen by calling LockWorkStatíon() and the user has to unlock using the new domain password, thus updating their local account.

However, if the user unlocks using their old password , the workstation/notebook password differs from that of all other places, what will give problems. So, we are looking for a better solution.

Best would be, if we don't have to lock the workstation but could somehow force synchronizing of the local domain password. Note, the users always are connected to the domain, while the application is running.

Any ideas?

Regards, Alex
0
Comment
Question by:itsmeandnobodyelse
  • 6
  • 3
  • 2
  • +1
12 Comments
 
LVL 86

Expert Comment

by:jkr
Comment Utility
You could just set the local password using 'NetUserSetInfo()' at level 1 and change both the local and the domain pwd (by specifing NULL as the server name for the local one and the DC name for the domain pwd)
0
 
LVL 39

Author Comment

by:itsmeandnobodyelse
Comment Utility
Thanks for the suggestion, but we have to use the server prog to change the domain password (as there are other passwords that must be changed also). Then, NetUserSetInfo fails because the password of the domain already has been changed.

Do you know of a domain utility to force password synchronisation?

Regards, Alex
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
Comment Utility
NLTest Syntax

This command-line tool helps perform network administrative tasks. You can use NLTest to:

* Get a list of domain controllers.
* Force a remote shutdown.
* Query the status of trust.
* Test trust relationships and the state of domain controller replication in a Windows domain.

Force a user-account database to synchronize on Windows NT version 4.0 or earlier domain controllers.
NLTest can test and reset the secure channel established by the NetLogon service. This secure channel is established between clients and the domain controller that logs them on. NLTest does not work for clients using Kerberos for authentication since this secure channel is not used with Kerberos.

/sc_change_pwd: [DomainName]
Changes the password for the trust account of the specified domain. If this command is run on a domain controller, and an explicit trust relationship exists, then the password for the interdomain trust account is reset. Otherwise, the computer account password for the specified domain is changed. This command is only for computers that are Windows 2000, Windows XP, and Windows Server 2003.

does it help?
bbao
0
 
LVL 39

Author Comment

by:itsmeandnobodyelse
Comment Utility
>> Force a user-account database to synchronize on Windows NT version 4.0 or earlier domain controllers.

That sounds good and bad. The domain servers are WIN2K servers as far as i know (bad: NT 4.0 or earlier???). But forcing synchronization is exactly what we need (good). Is the NLTest tool a server or client tool? Does it belong to a kit or where could i get it? Is there a possibility to call that tool programmatically?

We are responsible for the client prog, The server side is responsible for overall password synchronization, but we have no influence on that. So, if there is a server solution that could solve our local update problem by forcing synchronisation, we only could give suggestion to the people that are responsible for that.

>> /sc_change_pwd: [DomainName]

Could you give the full command? Is it a client command or a (domain) server command? Did you recognize that we already invoked the domain password change and the only thing left is to update the local account as well?

Regards, Alex



0
 
LVL 37

Assisted Solution

by:Bing CISM / CISSP
Bing CISM / CISSP earned 100 total points
Comment Utility
NLTEST was originally released with NT4 resource kit, and is still available with the resource kit of W2K3, so it definitely works well on NT4/2K/2K3 platforms. yes, it is a server side tool, a console utility, should be OK for batch file execution. you may download W2K3 resource kit from M$ site at:

Windows Server 2003 Resource Kit Tools
http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en

FYI: Nltest Domain/User Tool
http://windows.about.com/library/weekly/aa010200a.htm

the full command is NLTEST /sc_change_pwd: [DomainName], for more information of NLTEST, see MSKB at

Domain Secure Channel Utility -- Nltest.exe
http://support.microsoft.com/?id=kb;en-us;158148

> Did you recognize that we already invoked the domain password change and the only thing left is to update the local account as well?

not very sure what you mean, could you please be more specific? thanks.

hope helps,
bbao
0
 
LVL 39

Author Comment

by:itsmeandnobodyelse
Comment Utility
>> not very sure what you mean, could you please be more specific? thanks

First, it is a very big company and the domain(s) have about 10000 people. We - a small developer group within that company -  have a client application where the user can change their password. But we don't make the password change ourselves but pass the password change request to a domain server. From there all passwords of the user get synchronized - with one exception: the current account of the user still has the old password. The user now can update their account by locking the workstation/notebook and unlocking using the new password we had passed to the server application.

That last step we want to automate. Our solution til now is to programmatically lock the workstation by calling LockWorkStation (that works fine)  and BEFORE we give advice how to unlock - using the NEW password and not the OLD one. Unfortunately, we cannot prevent the user from doing the latter and he/she will get a lot of problems after that as there are lot of resources in the net he/she couldn't access then because of the wrong password. Also the current solution isn't very elegant as we only want to synchronize the local domain password (and not to lock the workstation).

We now hope that the functionality that comes with unlocking the workstation also is available somehow else by some API or by a client tool OR that there is a server solution where the password update could be forced. The second we could not implement/test ourselves but we could pass that information to these people that are responsible for the central password change.

>> NLTEST /sc_change_pwd: [DomainName],

As far as i understood NLTEST synchronizes domain controllers. We want the domain controller to synchronize a workstation account  that is currently logged on.

Regards, Alex
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 86

Accepted Solution

by:
jkr earned 300 total points
Comment Utility
>>Then, NetUserSetInfo fails because the password of the domain already has been changed.

Hmm, no - if you target that call for the local SAM, it will work. Of course that has to be done with the *local* credentials.
0
 
LVL 39

Author Comment

by:itsmeandnobodyelse
Comment Utility
>> if you target that call for the local SAM

Sounds great, but we tried that and ... failed. But it was some time ago, maybe we made some mistakes...

NetUserSetInfo to change password requires administrator rights, so we used NetUserChangePassword

        nas = NetUserChangePassword(  wComputerName,  
                                                        wUserName,    
                                                        wOldPassword,      
                                                        wNewPassword                 );    

wComputerName == NULL ???
wUsername ?  Must be prefixed with the domain, like  domain\user ???

We got error "ERROR_INVALID_PASSWORD" and no synchronization.

BTW, i just read NetUserSetInfo doc and level == 1008:

There is a flag UF_LOCKOUT and the description is :

UF_LOCKOUT The account is currently locked out. For NetUserSetInfo, this value can be cleared to unlock a previously locked account. This value cannot be used to lock a previously unlocked account.

I wonder, if we could use that function to unlock the workstation after a previously LockWorkStation(). Or do we need admin rights for that?

Regards, Alex
 


0
 
LVL 86

Expert Comment

by:jkr
Comment Utility
>>wComputerName == NULL ???

Nope, the docs explicitly state "A value of NULL in the domainname parameter specifies the logon domain of the caller" - and then you will run into trouble when your program runs under a domain logon. Speicfy the name of the machine here.

>>wUsername ?  Must be prefixed with the domain, like  domain\user ???

For a local user, that is

LPCTSTR pUser = _T(".\\<username>");

0
 
LVL 39

Author Comment

by:itsmeandnobodyelse
Comment Utility
>> Speicfy the name of the machine here.

But we need to synchronize the local domain account and not the local workstation account. Most users haven't a local machine account but always logon at the domain.

However, many thanks for your inputs.  i will have time to make some tests next week. Sorry, not being able to give feedback earlier.

Regards, Alex


0
 
LVL 9

Assisted Solution

by:_ys_
_ys_ earned 100 total points
Comment Utility
The GINA caches the users' hashed password until told otherwise. And the SAS would certainly do that. When it doesn't match it'll go look to see if it's changed.

Thus both old and new passwords will work. But all this you probably already know.

NPPasswordChangeNotify sounds good. Either this or something similar.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthn/security/nppasswordchangenotify.asp

BTW, don't even think about asking me how you use this. It just sounded like what you were after.
0
 
LVL 39

Author Comment

by:itsmeandnobodyelse
Comment Utility
Ok, i'll close that thread as the current solution had been accepted by all.

Thanks to all for the valid input.

Regards, Alex
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

This article describes how to programmatically preset the "Pages per Sheet" option that's available with most printer drivers.   This setting lets you do "n-Up" printing, where two, four, or more pages are printed on each sheet of paper. If your …
This article describes how to add a user-defined command button to the Windows 7 Explorer toolbar.  In the previous article (http://www.experts-exchange.com/A_2172.html), we saw how to put the Delete button back there where it belongs.  "Delete" is …
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now