Article ID: 288359
Article Last Modified on 2/12/2004
APPLIES TO
- Microsoft Active Directory Client Extension, when used with:
- Microsoft Windows NT 4.0 Service Pack 6a
- Microsoft Active Directory Service Interfaces 2.5
This article was previously published under Q288359
SUMMARY
The Active Directory Client Extension (DSClient) for Windows NT 4.0 extends the operating system's abilities so that it can take advantage of many Windows 2000 features. However, it does not alter the existing functionality for changing the password through the user interface.
MORE INFORMATION
In Windows NT 4.0, the user interface for changing passwords resides in WinLogon. This component makes a call to the security account manager (SAM) to change passwords. The Windows NT4 WinLogon capabilities are not updated or extended by the DsClient installation. Therefore, the user will not be rerouted to the closest write-able domain controller (DC) when using this dialog box. Instead he or she will be rerouted to the primary domain controller (PDC).
The Windows NT 4.0 DSClient has all the necessary components in place to make a site aware change password call. You can write a program with the following algorithm (assuming the Windows NTv4.0 DSClient is installed):
If (DSClient is installed) Then dc = DsGetDcName(DS_WRITABLE_REQUIRED) Call NetUserChangePassword( dc, …) End if
Or, you can use Active Directory Services Interface (ADSI):
Find the username to be changed (GetUserName or IADsWinNTSystemInfo).
For example:Set oWinnt = CreateObject("WinNTSystemInfo") strUser = oWinnt.UserName
Get the domain distinguished name (DN) where the interactive user currently logs on:
For example:Set oRootDSE = GetObject("LDAP://RootDSE") domainDN = oRootDSE.Get "defaultNamingContext"
Find the user based on the current domain DN, and pass the username obtained via IADsWinNTSystemInfo as the filter:
filter = "(&(samAccountType=805306368)(samAccountName=" & strUser & "))"
- Once you've obtained the user's ADsPath from the query above, bind to that object.
- Use IADsUser::ChangePassword to change the password.
NOTES:
- Neither of the methods described in this section will update the local password cache. The user still has to log off and log back on to update his or her password cache.
- If DSClient is not installed, calling GetProcAddress() with DsGetDcName will fail.
REFERENCES
For additional information, click the article numbers below to view the articles in the Microsoft Knowledge Base:
264480 Description of Password-Change Protocols in Windows 2000
187529 HOWTO: Use ADO to Access Objects Through an ADSI LDAP Provider
269190 HOWTO: Change a Windows 2000 User's Password Through LDAP
288358 HOWTO: Install the Active Directory Client Extension
Additional query words: changepassword dsclient winlogon
Keywords: kbinfo kbdswadsi2003swept KB288359