Change Password of a local windows user

Question

Usually it is possible to change it´s own password in Windows, without having admin-rights.

I'm writing a tool to manage users and Groups on several servers/clients. I also want to give a client the right to edit his own password. The clients don't have admin-rights of course. To change a users password having admin rights I used DirectoryEntry like this:

try
{
    DirectoryEntry localDirectory = 
        new DirectoryEntry("WinNT://" + Environment.MachineName.ToString());
    DirectoryEntries users = localDirectory.Children;
    DirectoryEntry user = users.Find(username);
    user.Invoke("SetPassword", newPassword);

    Console.WriteLine("Success!");
    Console.ReadLine();
}
catch (Exception ex)
{
    Console.WriteLine(ex.Message);
    Console.ReadLine();
}

The problem here is, that the DirectoryServices are not available without having admin-rights. Therefore I wish to have a work-around that works without admin rights(only necessary for changing your own password).

Answer 1

SetPassword requires admin rights to execute - which is not something you probably want to do. ChangePassword does not and can be used by the end user themselves. It takes the old password and new password as arguments. This would be the preferred way of executing this and it would also verify their identity.

Answer 2

You could theoretically use a workaround by using the WinNT provider to instantiate the DirectoryEntry object, enabling the user to change passwords without supplying domain admin rights. You might also consider the code posted here, using an encrypted database to store admin credentials.

This is a risky move, perhaps, depending on the nature of your storage (you could use a hash of the MAC address of the machine as a password maybe?), but I'm not sure there is another method of doing this. As far as I'm aware, the answer supplied by eMi wouldn't work without an authenticated instance of DirectoryEntry, although I could be wrong.