3.1.5.13.7.2 SamValidatePasswordChange

The following table lists the constraints that MUST be satisfied (in the order presented) in order to return the associated output parameters to the client. All fields of ValidatePasswordChangeOutput MUST be set to 0 before any constraints are met.

Constraint

Condition (fields based on ValidatePasswordChangeInput)

ValidatePasswordChangeOutput changes

1

LockoutTime plus DomainLockoutDuration is greater than the current time.

ValidationStatus MUST be set to
SamValidateAccountLockedOut.

2

LockoutTime plus DomainLockoutDuration is less than or equal to the current time.

LockoutTime MUST be set to 0.

3

PasswordLastSet plus DomainMinimumPasswordAge is greater than the current time.

ValidationStatus MUST be set to
SamValidatePasswordTooRecent.

4

PasswordMatch is zero, and BadPasswordTime plus DomainLockoutObservationWindow is greater than or equal to the current time.

  1. ValidationStatus MUST be set to SamValidatePasswordIncorrect.

  2. BadPasswordCount MUST be set to ValidatePasswordChangeInput.BadPasswordCount plus 1.

  3. BadPasswordTime MUST be set to the current time.

5

PasswordMatch is zero, and BadPasswordTime plus DomainLockoutObservationWindow is less than the current time.

  1. ValidationStatus MUST be set to SamValidatePasswordIncorrect.

  2. BadPasswordCount MUST be set to 1.

  3. BadPasswordTime MUST be set to the current time.

  4. If DomainLockoutThreshold is greater than 0 and BadPasswordCount is greater than or equal to DomainLockoutThreshold, LockoutTime MUST be set to the current time.

6

PasswordMatch is nonzero, and HashedPassword is equal to at least one of the first DomainPasswordHistoryLength elements of PasswordHistory (without exceeding the number of elements in PasswordHistory) where the Length field of HashedPassword is equal to the Length field of the PasswordHistory element.

ValidateStatus MUST be set to
SamValidatePasswordIsInHistory.

7

PasswordMatch is nonzero.

  1. The constraints in section 3.1.1.8.5 MUST be satisfied, where sAMAccountName is ValidatePasswordChangeInput.UserAccountName and userAccountControl is UF_NORMAL_ACCOUNT; on error, ValidationStatus MUST be set as follows:

    1. If the minimum password length constraint fails, ValidationStatus MUST be SamValidatePasswordTooShort.

    2. If the maximum password length constraint fails, ValidationStatus MUST be SamValidatePasswordTooLong.

    3. If any other constraint in section 3.1.1.7.2 or section 3.1.1.8.5 fails, ValidationStatus MUST be SamValidatePasswordNotComplexEnough.<73>

  2. If any constraint from item 1 failed, the server MUST return STATUS_SUCCESS.

  3. Otherwise (if no constraint from item 1 failed), PasswordHistory MUST be updated such that ValidatePasswordChangeInput.HashedPassword is the first element in PasswordHistory, and ValidatePasswordChangeInput.InputPersistedFields.PasswordHistory elements are used, starting from the left, to fill the remaining elements of PasswordHistory such that PasswordHistory contains as many elements as possible up to DomainPasswordHistoryLength elements.

  4. PasswordHistoryLength MUST be updated to be DomainPasswordHistoryLength.

  5. PasswordLastSet MUST be set to the current time.

  6. BadPasswordCount is set to 0.

  7. ValidationStatus MUST be set to SamValidateSuccess.

  8. The server MUST return any processing errors; otherwise, it MUST return STATUS_SUCCESS.