Microsoft KB Archive/288359

= INFO: WinLogon Change Password Behavior in Windows NT DSClient =

Article ID: 288359

Article Last Modified on 2/12/2004

-

APPLIES TO


 * Microsoft Active Directory Client Extension, when used with:
 * Microsoft Windows NT 4.0 Service Pack 6a
 * Microsoft Active Directory Service Interfaces 2.5

-



This article was previously published under Q288359



SUMMARY
The Active Directory Client Extension (DSClient) for Windows NT 4.0 extends the operating system's abilities so that it can take advantage of many Windows 2000 features. However, it does not alter the existing functionality for changing the password through the user interface.



MORE INFORMATION
In Windows NT 4.0, the user interface for changing passwords resides in WinLogon. This component makes a call to the security account manager (SAM) to change passwords. The Windows NT4 WinLogon capabilities are not updated or extended by the DsClient installation. Therefore, the user will not be rerouted to the closest write-able domain controller (DC) when using this dialog box. Instead he or she will be rerouted to the primary domain controller (PDC).

The Windows NT 4.0 DSClient has all the necessary components in place to make a site aware change password call. You can write a program with the following algorithm (assuming the Windows NTv4.0 DSClient is installed): If (DSClient is installed) Then dc = DsGetDcName(DS_WRITABLE_REQUIRED) Call NetUserChangePassword( dc, …) End if

Or, you can use Active Directory Services Interface (ADSI):   Find the username to be changed (GetUserName or IADsWinNTSystemInfo).

For example: Set oWinnt = CreateObject(&quot;WinNTSystemInfo&quot;) strUser = oWinnt.UserName   Get the domain distinguished name (DN) where the interactive user currently logs on:

For example: Set oRootDSE = GetObject(&quot;LDAP://RootDSE&quot;) domainDN = oRootDSE.Get &quot;defaultNamingContext&quot;   Find the user based on the current domain DN, and pass the username obtained via IADsWinNTSystemInfo as the filter: filter = &quot;(&(samAccountType=805306368)(samAccountName=&quot; & strUser & &quot;))&quot;  Once you've obtained the user's ADsPath from the query above, bind to that object. Use IADsUser::ChangePassword to change the password.

NOTES:

 * Neither of the methods described in this section will update the local password cache. The user still has to log off and log back on to update his or her password cache.
 * If DSClient is not installed, calling GetProcAddress with DsGetDcName will fail.

