Reset users password in Active Directory by Domain Admin account or other service account

In Active Directory you can set and enforce rules where users have to use strong password, can't use last 5+ passwords they already had, enforce password complexity. Is there a way to enforce such settings so that if a service account (password reset web service) tries to set new password for user it's checked against the policy and is either accepted or denied?

It seems that since the service account is forcing password change user can type in the same password via web interface and keep on using same password over and over again. Since it's a service account changing the password for him it is not checked against last known passwords hence the rules of password are not enforced

While programmer could code a complexity check the last passwords used check can't be checked on web interface because the webservice doesn't have the knowledge of last passwords.

Is it possible to force it so that such change of the password by service account is also restricted like normal user password change would be ?


Solution 1:

In AD there are two types of operations to change a user's password - a change, which can be executed anonymously because it requires the old password as part of the request, and a reset, which does not require the old password and must be done by a user with access to be able to reset passwords for the account being targeted.

In this case, the software application is doing the reset operation, without knowledge of the user's old password but while authenticated as presumably a service account with the needed rights.

From the perspective of AD, the password is being administratively reset; password history is never enforced in this case, since the administrator doing the reset shouldn't know the user's old passwords - if they have a habit of setting the new pass to, say, Thursday1, having that fail to meet policy on a reset operation would be quite confusing.

While a poor user experience, the best mechanism that I can think of to handle this would be to have the web application reset the password (maybe to something they don't enter, just generated) then set the "must change password on next login" flag on the account to force the user to immediately do a password change operation, which will enforce history.

There's some discussion of using LDAP APIs in .Net to achieve the goal of enforcing history on this kind of reset here, but I'm not sure if this will be an option for you depending on the application you're using; if you control the code and the LDAP library you're using supports controls then it should be doable.