2.7.2.4 Change an Existing Account's Password (DC) - Client Application

  • Article

In this use case, a user whose account is present in an Active Directory domain wants to change the existing password to a new value. The user starts a client application to change the password on the account. The client application establishes a connection to the Active Directory system by connecting to a DC that is not the owner of the PDC FSMO role for the domain. This use case highlights the communication between the DC and the PDC in the domain.

Goal

Change the password on an account to a new value.

Context of use

The user wants to change the password on the user account.

Use case diagram for changing the password of an existing account (DC)

Figure 17: Use case diagram for changing the password of an existing account (DC)

Actors

  • Client application

    The client application is the primary actor. It is the entity that prepares the connection to the directory server, submits the request to change the password, and relays the response to the user.

  • Windows Authentication Services

    Windows Authentication Services [MS-AUTHSOD] is the supporting actor that authenticates the user's identity so that the Active Directory system can make access-control decisions.

  • DC

    A domain controller that is not the owner of the PDC FSMO role for the domain. It is the supporting actor that receives the password-change request, performs the tasks that are associated with changing a user's password in the directory, and sends a password update request to the PDC.

  • PDC

    The primary domain controller of the domain. It is the supporting actor that receives the password update request from the DC and updates the user-password details in its directory database. The PDC is the owner of PDC FSMO role for the domain.

Stakeholders

  • User

    The user initiates the password change on his or her existing account. The user primarily wants to receive information that the password was successfully changed or receive an error message if the password was not changed.

  • Directory

    The directory is the entity that contains the user's existing account.

Preconditions

  • The system-wide preconditions described in section 2.6 are satisfied. The Active Directory system completes initialization, as described in section 2.6.

  • The client application has connectivity to a DC to which it can establish a connection, if it is not already connected, and send the request.

  • The DC has connectivity to the PDC to which it establishes a secure channel and sends the password update request.

  • The account on which the password is to be changed exists.

Main Success Scenario

  1. Trigger: The user provides the account name of the existing account, the existing password for the account, and the new value for the password to the client application and invokes the operation that changes the password of the account.

  2. The client application establishes a connection to the DC. Windows Authentication Services uses the supplied credentials to authenticate the client application, as described in [MS-AUTHSOD] section 2.

  3. The client application sends a request to the DC to change the password of the given account. This request includes the account name, the current password, and the new password supplied by the user.

  4. An access check is performed on the DC to ensure that the user has the access rights to complete the operation, as described in [MS-ADTS] section 5.1.3.

  5. The DC verifies that the current password that is supplied through the client application matches the account's password that is stored in the directory.

  6. The DC verifies that the new password satisfies the password policy, as described in [MS-SAMR] section 3.1.1.7.1.

  7. The DC updates the password of the existing account with the new value that is supplied in the request. Additional attributes are updated as mandated by the server's processing rules and constraints ([MS-ADTS] sections 3.1.1.5.1 and 3.1.1.5.3 and [MS-SAMR] section 3.1.1.8.7).

  8. The DC establishes a secure channel with the PDC according to the processing rules and constraints specified in [MS-NRPC] sections 3.1.1 and 3.1.4.3 and [MS-ADTS] section 6.1.6.9.2.

  9. The DC sends a password update request to the PDC according to the processing rules and constraints specified in [MS-SAMS] section 3.3.5.4.

  10. The PDC sends a response to the DC indicating that the password has been successfully updated.

  11. The DC sends a response to the client application that the password has been successfully updated.

Postconditions

The account's password is changed at the DC, and it is also updated for the PDC FSMO role owner of the domain.