Active directory sharepoint user validating

16-Mar-2015 01:34

To determine password change or password expired, you may call Win32: Logon User(), and check the windows error code for the following 2 constants: @cciotti: No, that's wrong.

The BEST way to correctly authenticate someone is to use Logon User API as @stephbu write.

There will be no trust between my machine and remote Active Directory machine.

With every method presented so far, you may get a false-negative: A user's creds will be valid, however AD will return false under certain circumstances: Active Directory will not allow you to use LDAP to determine if a password is invalid due to the fact that a user must change password or if their password has expired.These are the same error codes which would be returned by otherwise invoking the Win32 Logon User API call.The list below summarizes a range of common values with hex and decimal values: 525​ user not found ​(1317) 52e​ invalid credentials ​(1326) 530​ not permitted to logon at this time​ (1328) 531​ not permitted to logon at this workstation​ (1329) 532​ password expired ​(1330) 533​ account disabled ​(1331) 701​ account expired ​(1793) 773​ user must reset password (1907) 775​ user account locked (1909) My question, though, is this: how do you get the LDAP server name?All other methods described in this post will NOT WORK 100%. that code is not going to work on LDAPs that are not secured (Anonymous or None perhaps). The down-side to querying an AD server is that you have permission to query the AD server.Just a note however, I do believe you have to be domain joined inorder to call Logon [email protected] to generate credentials you have to be able to connect to the domain by handing in a valid domain account. Your credential can be valid, but if you don't have permission to query AD, then you will get the error.

With every method presented so far, you may get a false-negative: A user's creds will be valid, however AD will return false under certain circumstances: Active Directory will not allow you to use LDAP to determine if a password is invalid due to the fact that a user must change password or if their password has expired.These are the same error codes which would be returned by otherwise invoking the Win32 Logon User API call.The list below summarizes a range of common values with hex and decimal values: 525​ user not found ​(1317) 52e​ invalid credentials ​(1326) 530​ not permitted to logon at this time​ (1328) 531​ not permitted to logon at this workstation​ (1329) 532​ password expired ​(1330) 533​ account disabled ​(1331) 701​ account expired ​(1793) 773​ user must reset password (1907) 775​ user account locked (1909) My question, though, is this: how do you get the LDAP server name?All other methods described in this post will NOT WORK 100%. that code is not going to work on LDAPs that are not secured (Anonymous or None perhaps). The down-side to querying an AD server is that you have permission to query the AD server.Just a note however, I do believe you have to be domain joined inorder to call Logon [email protected] to generate credentials you have to be able to connect to the domain by handing in a valid domain account. Your credential can be valid, but if you don't have permission to query AD, then you will get the error.The list is kept current automatically in background, if enabled.