INFO: WinLogon Change Password Behavior in Windows NT DSClient (288359)

MORE INFORMATION

In Windows NT 4.0, the user interface for changing passwords resides in WinLogon. This component makes a call to the security account manager (SAM) to change passwords. The Windows NT4 WinLogon capabilities are not updated or extended by the DsClient installation. Therefore, the user will not be rerouted to the closest write-able domain controller (DC) when using this dialog box. Instead he or she will be rerouted to the primary domain controller (PDC).

The Windows NT 4.0 DSClient has all the necessary components in place to make a site aware change password call. You can write a program with the following algorithm (assuming the Windows NTv4.0 DSClient is installed):

If (DSClient is installed) Then
     dc =  DsGetDcName(DS_WRITABLE_REQUIRED)
     Call NetUserChangePassword( dc, .)     
End if
				

Or, you can use Active Directory Services Interface (ADSI):

1. Find the username to be changed (GetUserName or IADsWinNTSystemInfo).
   
   For example:

   Set oWinnt = CreateObject("WinNTSystemInfo")
   strUser = oWinnt.UserName
   					

2. Get the domain distinguished name (DN) where the interactive user currently logs on:
   
   For example:

   Set oRootDSE = GetObject("LDAP://RootDSE")
   domainDN = oRootDSE.Get "defaultNamingContext"
   					

3. Find the user based on the current domain DN, and pass the username obtained via IADsWinNTSystemInfo as the filter:

   filter = "(&(samAccountType=805306368)(samAccountName=" & strUser & "))"
   					

4. Once you've obtained the user's ADsPath from the query above, bind to that object.
5. Use IADsUser::ChangePassword to change the password.

NOTES:

• Neither of the methods described in this section will update the local password cache. The user still has to log off and log back on to update his or her password cache.
• If DSClient is not installed, calling GetProcAddress() with DsGetDcName will fail.