The ChangePassword invocation with DirectoryEntry object

Question

No matter what I'm trying to throw at it, this method here always results in the following exception:

         var retVal = this.DirectoryEntry.Invoke("ChangePassword", new object[] { oldPassword, newPassword }) == null;

InnerException = {"The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements. (Exception from HRESULT: 0x800708C5)"}

I naturally checked domain default policy (none found in my test domain), OU Group policy (none exists) and can not find anything that could govern the password policy, yet no matter how long or complex the password I supply into the function is, it results in the same exception. Now the most interesting part Is when I do the same (for the same DirectoryEntity object and the same password) by calling this:

 var retVal = this.DirectoryEntry.Invoke("SetPassword", new object[] { newPassword }) == null;

The last call succeeds w/o any issues.

Answer 1

There are a number of group policies going to affect the password complexity. Most of them are turned on by default after you installed Active Directory. If you have never touched them after you setup your test domain, very likely, those password policies are still in place.

This is what my test domain default domain security settings look like. If you didn't change it before, it should look similar.

You can find detail descriptions on each of the policies on MSDN. I will just include a summary and a link here.

• Enforce password history - Make sure you are not reusing the old password.
• Maximum password age - Make sure you cannot use the same password more than a period of time. It's default to 42 days.
• Minimum password age - Make sure you cannot change the password until it has been more than a period of time. It's default to 1 day in a domain.
• Minimum password length - Self explained. It's default to 7 characters on domain controller.
• Password must meet complexity requirements - Make sure you are using a combination of letters, numbers and symbol characters in your password

All the above settings can be the cause of your 0x800708C5 error. In particular, I guess it's the "minimum password age" password policy causing you trouble. It's by default set to 1 day. If your test account is a new user account created just now, you may not change your password in the same day.

So now, you may think that in your test environment, you should disable all these password policies for development purpose. I won't recommend simply make all the polices undefined by unchecking the checkbox in the property pages. I would recommend the following setttings.

• Enforce password history - 0, which means never check password history
• Maximum password age - 0, which means password never expired
• Minimum password age - 0, which means you can change password immediately
• Minimum password length - 0, which means you don't need to set any password
• Password must meet complexity requirements - Disabled, which means it accepts any passwords

One final step you need to do is to populate the group policy to your machine again. Remember, the group policy is the settings stored on Active Directory. The machine group policies are applied at the machine bootup time while the user group policies are applied at the user logon time. Password policies are one of those machine policies. So, you can either reboot your computer now or you can go to command prompt and run gpupdate.

I hope I didn't miss any important information. Let me know if it still doesn't work :)

Answer 2

I don't have a direct answer but there is another similar question here: https://stackoverflow.com/questions/2517262

Be careful with SetPassword as it will destroy private user crypto keys: http://msmvps.com/blogs/alunj/archive/2006/11/07/ChangePassword-versus-SetPassword.aspx