Skip to main content

Description of password-change protocols in Windows

Windows uses many different mechanisms for changing passwords. This article describes those mechanisms.
The supported password-change protocols are:
The NetUserChangePassword protocol
The NetUserSetInfo protocol
The Kerberos change-password protocol (IETF Internet Draft Draft-ietf-cat-kerb-chg-password-02.txt) [port 464]
Kerberos set-password protocol (IETF Internet Draft Draft-ietf-cat-kerberos-set-passwd-00.txt) [port 464]
Lightweight Directory Access Protocol (LDAP) write-password attribute (if 128-bit Secure Sockets Layer [SSL] is used)
XACT-SMB for pre-Microsoft Windows NT (LAN Manager) compatibility
Change-password operations require that the user's current password be known before the change is allowed. Set-password operations do not have this requirement, but are controlled by the Reset Password permissions on the account.

When you are using LDAP (method 5), the domain controller and the client must both be able to use 128-bit SSL to protect the connection. If the domain controller is not configured for SSL or if appropriately long keys are not available, the password-change write is denied.

An Active Directory domain controller listens for change-password requests on all of these protocols.

As stated earlier in this article, different protocols are used in different circumstances. For example:
Interoperable Kerberos clients use the Kerberos protocols. UNIX-based systems with MIT Kerberos version 5 1.1.1 can change user passwords in a Windows-based domain by using the Kerberos change-password protocol (method 3).
When a user changes his or her own password by pressing CTRL+ALT+DELETE and then clicking Change Password, Windows NT up to Windows 2003 the NetUserChangePassword mechanism (method 1) is used if the target is a domain. From Windows Vista onwards, the Kerberos change password protocol is used for domain accounts. If the target is a Kerberos realm, the Kerberos change-password protocol (method 3) is used.
Requests to change a password from computers that are running Microsoft Windows 95/Microsoft Windows 98 use XACT-SMB (method 6).
A program that uses the ChangePassword method on the Active Directory Services Interface (ADSI) IaDSUser interface first tries to change the password by using LDAP (method 5), and then by using the NetUserChangePassword protocol (method 1).
A program that uses the SetPassword method on the ADSI IaDSUser interface first tries to change the password by using LDAP (method 5), then the Kerberos set-password protocol (method 4), and then the NetUserSetInfo protocol (method 2).
The Active Directory Users and Computers snap-in uses ADSI operations for setting user passwords.

Refer to Microsoft Article:-

Popular posts from this blog

How to schedule an Automatic Reboot of WatchGuard Firebox?

We have a Customer who having some issues with the WatchGuard Firewall,
We want to schedule a Reboot of the Firebox Each morning at 04:30AM so that when customer arrive in the office he would not face any problem.
For this :
1) Click on WatchGuard Firebox ICON (You may be having a Shortcut on your Desktop)
2) Give the Password to connect to Concern Firewall
3) Once you Connected, Go to File > Connect to Device > Choose the Firewall IP and Click on Connect. It may ask for the password, Please provide that.
4) Once you connected it will show you the Firewall with all the configuration.
5) Right Click on it and Go to Policy manager > When Policy manager Open, Click on "Setup" and then "Global Settings", At the Last you will found an option to define the time when you want a Schedule Reboot.

After making the change, Don't forget to make it Save in the Firewall Config File.

"Options" option not working on OWA (Outlook Web Access)

When we opening a OWA and Going to options to change the password/Configure the Out of Office or something else, We are getting logged out.


To resolve this you must have to connect to your Exchange Server.
Go to EMC > Server Configuration > Exchange Control Panel > ECP > Properties. Made the change the ECP Settings (changed from Use Form based authentication to Basic Authentication). It will work now.

Unable to install AVG, Error code:0xC0070643, Solved...!!

We want to install AVG Business edition for one of our Server having Windows Server 2008 R2.
Whenever we trying to install getting the "Error Code:0xC0070643. Installing 3rd parties redistributables.,MSI action failed.".
I tried to run the AVg Remover, Still not resolved. Chcked and found that OS is updated with latest Hotfixes, So there is no issue with Windows Updates.Rebooted the Server, Still not resolved.Finally I found one Link from AVG Support center, Fix for 0xC0070643, I run the tool and its Showing me that Error not solved, But Still I tried to run the Installer.exe again. And finally its installed successfully.
Let me know if you have any questions..!!