Change Active Directory User Password method SetPassword and ASP.Net


I cannot make the following code work in It works fine in Console application.

string strLDAP = "LDAP://,OU=sample_ou,DC=MYDOMAIN,DC=local";
                  DirectoryEntry entry  = new DirectoryEntry(strLDAP,"administrator","abcde",AuthenticationTypes.ServerBind);
                  object native = entry.NativeGuid;
                  entry.Invoke("SetPassword",new object[] {"testing"});

This always give me the exception: System.Runtime.InteropServices.COMException: One or more input parameters are invalid
at entry.Invoke("SetPassword",new object[] {"testing"});

I have already tried using the AuthenticationType as a secure socket layer but that gave me "The server is not operational." . This thing is really annoying and wants me to shift my application to Windows as it works fine there. Any suggestions regarding changing the user password in active directory using will be very helpful.

Thanks, Nauman.
LVL 25
Who is Participating?

Improve company productivity with a Business Account.Sign Up

AerosSagaConnect With a Mentor Commented:
try it this way then:

private void AddUser(string strDoamin, string strLogin, string strPwd)
      DirectoryEntry obDirEntry = null;
            obDirEntry = new DirectoryEntry("WinNT://" + strDoamin);
            DirectoryEntries entries = obDirEntry.Children;
            DirectoryEntry obUser = entries.Add(strLogin, "User");
            object obRet = obUser.Invoke("SetPassword", strPwd);
      catch (Exception ex)

nauman_ahmedAuthor Commented:
I have already searched a lot on the net and tried almost everything. I will be really very thankful if a working solution is posted.

Thanks, Nauman.
try this:

Joe Kaplan \(MVP - ADSI\) (VIP)
Ok, I see. Here are the steps to accomplish that:

1. Bind to the directory root with with the user's current name and password
to get the domain search root
2. Find the user by their username in the directory using the
3. Bind the user's DirectoryEntry (found from 2)
4. Invoke the ChangePassword method (not the SetPassword method, since that
is used by admins to reset a password)

Here is some sample code that should come close to what you are trying to
do. I wasn't able to test this, and you may need to modify it based on your
DC name and also on the type of encryption you are going to use (SSL or

Private Sub ChangePassword(ByVal username As String, ByVal oldPassword
As String, ByVal newPassword As String)

Dim dcDNS As String = "" 'use this if you want to supply a
server name
Dim rootDN As String
Dim rootDSE As DirectoryEntry
Dim searchRoot As DirectoryEntry
Dim userEntry As DirectoryEntry
Dim searcher As DirectorySearcher
Dim results As SearchResultCollection
Dim result As SearchResult

'note the authenicationtypes here
'you need to either use SecureSocketsLayer or Kerberos (Secure +
rootDSE = New DirectoryEntry(String.Format("LDAP://{0}/rootDSE",
dcDNS), username, oldPassword, AuthenticationTypes.Secure Or
AuthenticationTypes.Sealing Or AuthenticationTypes.ServerBind)
rootDN =
DirectCast(rootDSE.Properties("defaultNamingContext").Value, String)
searchRoot = New DirectoryEntry(String.Format("LDAP://{0}/{1}",
dcDNS, rootDN), username, oldPassword, AuthenticationTypes.Secure Or
AuthenticationTypes.Sealing Or AuthenticationTypes.ServerBind)
searcher = New DirectorySearcher(searchRoot)
searcher.Filter = String.Format("sAMAccountName={0}", username)
searcher.SearchScope = SearchScope.Subtree
searcher.CacheResults = False

'I use FindAll here because FindOne leaks memory if it does not
find anything
'in .NET 1.0 and 1.1
results = searcher.FindAll()
For Each result In results
'only use this method on .NET 1.1 or higher
'otherwise, get the adsPath value and build a new
DirectoryEntry with the supplied credentials
userEntry = result.GetDirectoryEntry()
Exit For 'this is redundant because sAMAccountName is unique
in the domain, but it is done for clarity

If userEntry Is Nothing Then
Throw New InvalidOperationException("User not found in this
End If

userEntry.Invoke("ChangePassword", New Object() {oldPassword,

Catch ex As System.Reflection.TargetInvocationException
Throw ex.InnerException

Finally 'these prevent other memory leaks
If Not userEntry Is Nothing Then userEntry.Dispose()
If Not results Is Nothing Then results.Dispose()
If Not searcher Is Nothing Then searcher.Dispose()
If Not searchRoot Is Nothing Then searchRoot.Dispose()
If Not rootDSE Is Nothing Then rootDSE.Dispose()
End Try
End Sub

You may need to experiment with different variations on the dcDNS variable
and you may need to remove the ServerBind flag if you are using a NETBIOS
name. Also, you may need to remove the Sealing flag as well, but be warned
that in order to set or change passwords, some sort of encrypted channel
(SSL or Kerberos) must be available.


Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

nauman_ahmedAuthor Commented:
Thanks Aeros.

ChangePassword is working fine at my side. The problem is with SetPassowrd.

IIS 5.0 or 6.0?
nauman_ahmedAuthor Commented:
I tried on both :(

same result?
nauman_ahmedAuthor Commented:
yeah. Its all the same and no luck until now.

nauman_ahmedAuthor Commented:
thanks aeros.. It is working with WINNT prefix. But one thing that I will never understand is why we have to tame windows instead of using the methods that have been already defined in MSDN? I have been working on this since 2 days but didnt have any luck. Thanks a lot again..and if there is an explanation of using WinNT instead of LDAP prefix, please post it here.

Thanks, Nauman.
You must have noticed from the above list that there is no property to set or get user password value. Operating system does not give access to clear text password value. So we can't expect and property or method to get it. In ADSI,  IAdsUser interface provides SetPassword method to set a user's password. This is where Invoke method of DirectoryEntry  class comes handy. So we call Invoke to set the password value. The Invoke method can be used to call native methods on underlying active directory objects. There is one important thing to remeber when you set a user's password value. If you are using LDAP provider, then the user account should already have been created in the system by calling CommitChanges  or SetInfo method. But WinNT provider does not have this restriction. You can set password value without commiting the changes first.


Glad I could be of some assistance to you my friend.


entry.Invoke("SetPassword",new object[] {"testing"});

This command does not work in Active Directory which run on Window 2003. With error message that "Type mismatch."
So...Please help me..!!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.