[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Use DirectorySearcher to check if a password is in the password history

Posted on 2006-03-21
9
Medium Priority
?
988 Views
Last Modified: 2012-06-21
Is it possible to use the DirectorySearcher to check if a password is in the user's password history?  I assume I want to query against the AD's ntpwdhistory property.  Of course, those passwords are encrypted.  So do I have to encrypt the password before I try to send in the search, or is DirectorySearcher (or rather, the underlying api) smart enough to do this for me?  Other ideas on how to accomplish this?
0
Comment
Question by:hberenson
  • 4
  • 4
9 Comments
 
LVL 41

Expert Comment

by:graye
ID: 16257738
Ouch!   This can probably be done... but it will definately be a "non-trival" task.   It will require a lot of low-level (and undocumented) API calls.

The solution will look nothing like a familiar framework DirectorySearcher solution!

The "bible" of low-level APIs is Windows NT/2000 Native API Reference (http://www.amazon.com/gp/product/1578701996/sr=8-1/qid=1143038091/ref=pd_bbs_1/102-6485229-5903316?%5Fencoding=UTF8)
0
 
LVL 20

Expert Comment

by:ihenry
ID: 16259704
That's not possible. In the ntPwdHistory attribute, password history is stored in OWF format. You cannot derive the clear password out of the attribute nor you can compare with any form of string. If you happen to find anything that could do that, it's certainly not supported by $MS.

I post some comments in your Q in W2K3 TA. I hope it can help you in solving this problem.
http://www.experts-exchange.com/Operating_Systems/Windows_Server_2003/Q_21696767.html


Graye, the book looks very interesting. I think I'm gonna buy it :o)
0
 
LVL 3

Author Comment

by:hberenson
ID: 16260040
Hmmm.  My root problem is that a call to change the password is silently failing (i.e. appears to succeed) if the password is on the history list.  So how do I tell the user that their change was unsuccessful?  Should it be returning an error?

This is someone elses code, so I need to take a closer look and post a code fragment.
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 
LVL 20

Expert Comment

by:ihenry
ID: 16268759
>> My root problem is that a call to change the password is silently failing...
Silently failing is not a normal behaviour of ADSI. When a change password failed because of any reason, it should returns an error message, something like this.

"Logon failure: unknown user name or bad password"
  -2147023570

As you can see, the message is vague and is not telling anything about the nature of the error. So you're pretty out of luck if you want to distinguish whether the problem is caused of wrong user name or password, or domain password complexity violation, or the password is already listed in the password history.
0
 
LVL 20

Expert Comment

by:ihenry
ID: 16269228
Btw, can you post the piece of code that's failing? maybe someone could see something not obvious that's causing the problem.
0
 
LVL 3

Author Comment

by:hberenson
ID: 16274758
Slightly edited code is below.  Note that no error is ever trapped.

On Error GoTo errhandler

Dim objPerson As IADsUser
Dim objContainer As IADsContainer
Dim szConnString As String
Dim objLdap As IADsOpenDSObject
                        
objLdap = GetObject("LDAP:")
szConnString="LDAP://CN="& szSAMAccountName &",OU="& sOU & "," & ADRoot
objLdap = GetObject("LDAP:")
                  
' Get a container object from the connection string.
                  
objPerson = objLdap.OpenDSObject(szConnString, _
                                                     ADUsername, _
                       ADPassword, _
                       1)
With objPerson
        .SetPassword (sPassword)
        .AccountDisabled = False
        .SetInfo
End With
                    
Return(1)
      
errhandler:
                  
Response.Redirect("/Support/UnSuccessful.aspx?LogID=" & Log(Err.Description, "ResetPassword", szSAMAccountName, -1))

Return(-1)      
0
 
LVL 3

Author Comment

by:hberenson
ID: 16275238
Some more testing has revealed this is even more interesting than originally described.  The above code DOES change the password even if it is on the password history list.  On the other hand, if it violates the password complexity rules then it traps to errhandler.
0
 
LVL 20

Accepted Solution

by:
ihenry earned 2000 total points
ID: 16281153
Obviously the code is about resetting a password, not changing a password. The SetPassword method disregard password age and password history policies, but it does check on password complexity. If your objective is to provide a facility for your users to change their password, you should then use ChangePassword method instead.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/adsi/iadsuser_changepassword.asp

0
 
LVL 3

Author Comment

by:hberenson
ID: 16281677
Thanks!  The guy who did this used the same function both for reset password and change password; he just validated the old password before calling this function in the case of a user doing a change password.  I'll create a new function that uses the changepassword method.
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In my previous two articles we discussed Binary Serialization (http://www.experts-exchange.com/A_4362.html) and XML Serialization (http://www.experts-exchange.com/A_4425.html). In this article we will try to know more about SOAP (Simple Object Acces…
More often than not, we developers are confronted with a need: a need to make some kind of magic happen via code. Whether it is for a client, for the boss, or for our own personal projects, the need must be satisfied. Most of the time, the Framework…
Loops Section Overview
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…
Suggested Courses
Course of the Month20 days, 5 hours left to enroll

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question