Calling NetrServerPasswordSet

The client MUST do the following:

  • Have a secure channel established with a DC in the domain identified by domain-name, and pass its name as the PrimaryName parameter.

  • Pass the encrypted new password:

    1. Compute the NTOWFv1 ([MS-NLMP] section 3.3.1) of the new password.

    2. Encrypt ([MS-SAMR] section the result of step 1 using the Session-Key for the secure channel as the specified key.

    3. Pass the result of step 2 as the UasNewPassword parameter.

  • Pass a valid client Netlogon authenticator as the Authenticator parameter.

After the method returns, the client MUST verify the ReturnAuthenticator as specified in section

On receiving STATUS_ACCESS_DENIED, the client SHOULD<90> re-establish the secure channel with the domain controller.