Remko Weijnen's Blog (Remko's Blog)
About Terminal Server, Citrix, Delphi and other stuff
Previously I discussed IDirectoryObject, today I will show how to change a user’s password with IDirectoryObject.
I didn’t find any documentation except a kb article describing how to use pure ldap to do it. Of course I could have used IADsUser::SetPassword but I decided not to because of the following reasons:
- IADs interfaces are terribly slow (although for one use you probably wouldn’t really notice).
- IADsUser::SetPassword tries 3 different methods to set the password (ldap over ssl, kerberos and finally NetUserSetInfo) which makes it even slower (most domain controllers do not have an ssl certificate) and unpredictable.
All example code I found was .NET based using the .NET wrappers for Active Directory and seemed to be meant for use in Adam rather than full Active Directory (it set port number to 389 and password mode to cleartext).
In the end it’s not very difficult but nonetheless it took me a while before I got it right.
We can write to the unicodePwd attribute which wants the password as a double quoted unicode string. If you look at this attribute with AdsiEdit you’ll see that the type is Octet String and that it can be written only.
I was tricked with Delphi’s QuotedStr function for a while because it doesn’t return a double but single quoted string 
Below a small snippet from the upcoming JwsclActiveDirectory that shows how to use it:
var
AdValue: ADSVALUE;
AdAttrInfo: ADS_ATTR_INFO;
TempPwd: TJwString;
DirObjIntf: IDirectoryObject;
Count: DWORD;
hr: HRESULT;
begin
{ To set the password we need a secure bind to the Domain Controller, this
is possible from win2000 sp5 and higher }
hr := ADsOpenObject(PWideChar(FPathName), nil, nil, ADS_USE_SIGNING
or ADS_USE_SEALING or ADS_SECURE_AUTHENTICATION, IID_IDirectoryObject,
Pointer(DirObjIntf));
if failed(hr) then
raise EJwsclAdNoInterfaceException.CreateFmtEx(
‘Interface %s not obtained’, ‘SetPassword’, ClassName,
‘JwsclActiveDirectory’, 0, hr, [‘IID_IDirectoryObject’]);
{ we can set the password through the unicodePwd attribute. }
AdAttrInfo.pszAttrName := ‘unicodePwd’;
AdAttrInfo.dwControlCode := ADS_ATTR_UPDATE;
AdAttrInfo.pADsValues := @AdValue;
AdAttrInfo.dwNumValues := 1;
{ the password needs to be within a double quoted string }
TempPwd := AnsiQuotedStr(Value, ‘"’);
{ unicodePwd is of type Octet String }
AdValue.dwType := ADSTYPE_OCTET_STRING;
AdValue.OctetString.dwLength := Length(TempPwd) * sizeof(TempPwd[1]);
AdValue.OctetString.lpValue := @TempPwd[1];
{ set the password }
hr := DirObjIntf.SetObjectAttributes(@AdAttrInfo, 1, Count);
{ don’t keep the password in memory… }
SecureZeroMemory(@TempPwd[1], Length(TempPwd) * sizeof(TempPwd[1]));
DirObjIntf := nil;
if failed(hr) then
raise EJwsclAdSetPropertyException.CreateFmtEx(
‘SetObjectAttributes failed to set %s’, ‘SetPassword’, ClassName,
‘JwsclActiveDirectory’, 0, hr, [AdAttrInfo.pszAttrName]);
end;
Related posts:
Profile
Tags
Active Directory Altiris bug Citrix Dell Delphi Exchange Exchange2003 Exchange2010 Hewlett-Packard HP iOS Jailbreak Java LinkedIn Linux MSI MySQL Navigation Objects Office Outlook Passat PowerPoint PowerShell referall was returned RNS315 RNS510 SasLibEx script slow Terminal Server ThinApp TSAdmin TSAdminEx VBS VCDS Vista VMWare Volkswagen Windows PE WLAN Wordpress WTSWaitSystemEvent wts_event_flush
WP Cumulus Flash tag cloud by Roy Tanck requires Flash Player 9 or better.
Recent Tweets
- 249 followers, would be nice to make that a round number... 16 hours ago
- RT @FlitsApp: Nieuwe update van flitsers iphone over enkele uren online. ~ Nice, nog andere verbeteringen/toevoegingen? 1 day ago
- RT @JeroenTielen: Er ligt al 24 cm sneeuw in Zeewolde. :) http://t.co/IJRQgars <~LOL! 1 day ago
- Quicky: Lookup kms licensing server DNS record: nslookup -type=srv _vlmcs._tcp #Windows #KMS #Licensing 1 day ago
- Did anyone manage to get the Lync client running multiple times so we can have multiple connections? Maybe using ThinApp? 3 days ago
Views
Recent Comments
- Tony K on Patch Windows 2003 Terminal Server to allow more than 2 concurrent sessions
- Remko on VM not joined to Domain after Deploying from Template
- Remko on Patch Windows 2003 Terminal Server to allow more than 2 concurrent sessions
- Tony K on Patch Windows 2003 Terminal Server to allow more than 2 concurrent sessions
- Konflikt on VM not joined to Domain after Deploying from Template
Donate
Blogroll
- Andrew Morgan
- Arnout’s blog
- Assa’s Blog
- Barry Schiffer
- Delphi Praxis
- Ingmar Verheij
- Jedi Api Blog
- Jedi API Library
- Jeroen Tielen
- Kees Baggerman
Categories
- .NET (1)
- Active Directory (25)
- Altiris (36)
- Apple (3)
- Application Compatibility (7)
- Automotive (2)
- C# (1)
- C++ (1)
- Citrix (54)
- Delphi (55)
- Embedded (4)
- Exchange (16)
- General (57)
- iPhone (4)
- Java (7)
- Oracle (4)
- Packaging (18)
- PowerShell (31)
- Programming (73)
- RES (1)
- script (18)
- SQL Server (10)
- Strange Error (3)
- Terminal Server (64)
- Unattended Installation (18)
- Uncategorized (31)
- Vista (34)
- VMWare (20)
- Windows 2003 (20)
- Windows 2008 (32)
- Windows 2008 R2 (11)
- Windows 7 (23)
- Windows Internals (8)
- Windows XP (12)
Archives
- January 2012 (9)
- December 2011 (9)
- November 2011 (4)
- October 2011 (5)
- September 2011 (10)
- August 2011 (10)
- July 2011 (2)
- June 2011 (8)
- May 2011 (12)
- April 2011 (4)
- March 2011 (14)
- February 2011 (8)
- January 2011 (32)
- December 2010 (23)
- November 2010 (19)
- October 2010 (10)
- September 2010 (6)
- August 2010 (1)
- July 2010 (1)
- June 2010 (6)
- March 2010 (7)
- February 2010 (3)
- December 2009 (3)
- November 2009 (11)
- September 2009 (2)
- July 2009 (1)
- June 2009 (5)
- May 2009 (1)
- April 2009 (2)
- March 2009 (3)
- February 2009 (6)
- January 2009 (3)
- December 2008 (8)
- November 2008 (5)
- October 2008 (3)
- September 2008 (3)
- August 2008 (3)
- June 2008 (6)
- May 2008 (2)
- April 2008 (3)
- March 2008 (5)
- January 2008 (3)
- December 2007 (3)
- November 2007 (13)
- October 2007 (10)
2 Responses for "Random Active Directory Notes #4"
Hi Remko,
I was just wondering how JwsclActiveDirectory is going? I’m keen to use it in a program I’m writing to dynamically add/remove users to groups, based on which computer they use to log into the Terminal Server.
Cheers,
Alex
I too am keen to use this, but i can’t get it to compile.
There seems to be lots of dependencies missing. I am new to JEDI. Is there a step by step guide on where all the files should be placed?
I have added \WIN32API folder to my search path, but then i notice that it needs \WIN32API\jwaWindows folder as well. So i added this, then it complains that it cant find JwaWinDLLNames.pas… and it goes on.
Leave a reply