ChangePassword ADSI method not working (constraint violation)

ScottyDoo · February 2, 2023, 10:50am

Hi All,

Firstly - For reasons I won’t get in to I can’t load in the AD module and use Set-ADAccountPassword cmdlet so…

I am trying to change a user account password using the following:

$User = "<MyUserName>"
$CurPass = "<CurrentPassword>"
$NewPass = "<NewPassword>"

$Filter = "(&(objectCategory=person)(objectClass=user)(samaccountname=$User))"
$Searcher = New-Object System.DirectoryServices.DirectorySearcher
$Searcher.SearchRoot = New-Object System.DirectoryServices.DirectoryEntry("LDAP://<DomainController>:636", $env:USERDNSDOMAIN\$User, $CurPass)
$Searcher.Filter = $Filter
$Searcher.SearchScope = "Subtree"
$objUser = $Searcher.FindOne().GetDirectoryEntry()
$objUser.PsBase.Invoke("ChangePassword", $CurPass, $NewPass)
$objUser.CommitChanges()

The above throws a constraint violation error (even as a Domain Admin). If I use the “SetPassword” method as a domain admin this works but I get access denied as a user. I figured “ChangePassword” should work as a user but I cant get this method to work at all.

Any idea?

Thanks

ScottyDoo · February 2, 2023, 2:35pm

OK so after a day of playing… This article:

Led me to authentication flags:

The ones that worked for me in the end were:
ADS_SECURE_AUTHENTICATION + ADS_USE_SIGNING + ADS_USE_SEALING + ADS_SERVER_BIND

So I basically added:

$UserDN = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$($ObjUser.distinguishedName)",$env:USERDNSDOMAIN\$User, $CurPass, 705)
$UserDN.PsBase.Invoke("ChangePassword", $CurPass, $NewPass)
$UserDN.CommitChanges()

Not sure why I needed the last one but it wouldn’t work without the ADS_SERVER_BIND flag.

Cheers

Olaf · February 2, 2023, 2:39pm

ScottyDoo,
Welcome to the forum.

… glad to hear that you’ve already found a solution … and thanks for sharing.