Click here to Skip to main content
1,837 members
Articles / Security / .NET 2.0
Article

Rotating Passwords in Active Directory

Rate me:
Please Sign up or sign in to vote.
0.00/5 (No votes)
25 Nov 2011CPOL 6.6K   3  
A tool to rotate Windows Active Directory passwords.

Image 1

Introduction

This tool will rotate your Active Directory password, often allowing you to "change" your password to the same one.

Background

My company forces me to change my password every 30 days. I like the policy, but I also like to use just a couple of passwords: I can maybe remember 2 or 3, but definitely not fifteen. Unfortunately, I can't even change my password back to a value that I used a month ago. The Active Directory domain rules prohibit me from doing so.

Nothing that a little software can't work around :)

Using the Tool and ActiveDirectory Policies

There're several Active Directory policies (GPO) that you should be aware of before you run the tool. They enforce some limitations that can have the consequence of locking your account and getting you in trouble with your IT organization. You want to know how many password change requests you can make before you get locked out, what the password complexity rules are, and how many passwords Active Directory "remembers".

There're a few articles that describe the policies themselves.

Implementation

Changing the Active Directory Password

Active Directory functions are exposed in a System.DirectoryServices assembly, and via the Active DS Type Library, a COM object (activeds.dll) registered on all Windows systems. The first step is to add a reference to both. The first will give us LDAP functionality to locate the Active Directory user record, the second to change the password.

The complete code to change the password looks like this:

C#
IADsADSystemInfo sysInfo = new ADSystemInfoClass();
DirectoryEntry currentUser = 
  new DirectoryEntry(string.Format("LDAP://{0}", sysInfo.UserName));

object[] passwordChangeRequest = new object[] 
{
    oldPassword,
    newPassword
};

currentUser.Invoke("ChangePassword", passwordChangeRequest);
currentUser.CommitChanges();

Note that since the change methods are implemented in COM, the exceptions raised from this code are generic wrappers, and hence the real exception is in the exception's InnerException.

Generating Random Passwords

Because we're going to be rotating passwords, we need a number of seemingly random passwords that fit the security requirements of the current Active Directory domain. I found a well-written and ready-to-use Obviex RandomPassword Class that does it.

Putting it all Together

A couple of things remain to be done: passing command-line arguments and looping to change the actual password. I've used Peter Hallam's CommandLine Argument Parser and exposed options that include the number of passwords to rotate through and a simulation mode.

Source Code and Patches

The latest version of this article and source code can always be found in Subversion under this link. You can also browse the source code. You can find the latest information about this library at code.dblock.org. You're encouraged to submit patches for added functionality and bug fixes, please direct everything to dblock at dblock dot org.

History

  • 01/09/2009: Initial version.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


Written By
dB.
Team Leader Application Security Inc., www.appsecinc.com
United States United States
Daniel Doubrovkine has been in software engineering for twelve years and is currently development manager at Application Security Inc. in New York City. He has been involved in many software ventures, including Xo3 and Vestris Inc, was a development lead at Microsoft Corp. in Redmond, and director of Engineering at Visible Path Corp. in New York City. Daniel also builds and runs a foodie website, http://www.foodcandy.com.

Comments and Discussions

 
-- There are no messages in this forum --