3.3.4.1 ChangePassword

A server processes a ChangePassword request using the Active Directory Web Services: Custom Action Protocol upon receiving a SOAP message that contains the ChangePasswordRequest_Headers header and that specifies the following Uniform Resource Identifier (URI) as the SOAP action:

http://schemas.microsoft.com/2008/1/ActiveDirectory/CustomActions/AccountManagement/ChangePassword

This operation is specified by the following WSDL.

 <wsdl:operation name="ChangePassword">
     <wsdl:input
         wsam:Action=
 "http://schemas.microsoft.com/2008/1/ActiveDirectory/CustomActions/AccountManagement/ChangePassword"
         name="ChangePasswordRequest"
         message="ca:ChangePasswordRequest" />
   <wsdl:output
       wsam:Action=
 "http://schemas.microsoft.com/2008/1/ActiveDirectory/CustomActions/AccountManagement/ChangePasswordResponse"
       name="ChangePasswordResponse"
       message="ca:ChangePasswordResponse" />
   <wsdl:fault
       wsam:Action="http://schemas.microsoft.com/2008/1/ActiveDirectory/Data/fault"
       name="ChangePasswordFault"
       message=
 "ca:AccountManagement_ChangePassword_ChangePasswordFault_FaultMessage" />
 </wsdl:operation>

Upon receiving the ChangePassword request, the server changes the password on the principal contained in the ChangePasswordRequest/AccountDN element (3.3.4.1.2.3), specified by the naming context (NC) that is contained in the ChangePasswordRequest/PartitionDN element (section 3.3.4.1.2.6). The current password is contained in the ChangePasswordRequest/OldPassword element (section 3.3.4.1.2.5), and the new password is contained in the ChangePasswordRequest/NewPassword element (section 3.3.4.1.2.4). Upon success, the server MUST return a ChangePasswordResponse message (section 3.3.4.1.1.3) with an empty ChangePasswordResponse element (section 3.3.4.1.2.7).

In the case of AD LDS, the ChangePassword custom action changes the value of the user!userPassword or the inetOrgPerson!userPassword attribute of the given security principal. In the case of AD DS, either the user!unicodePwd or the inetOrgPerson!unicodePwd attribute is changed. See [MS-ADTS] section 3.1.1.3.1.5 and [MS-SAMR] section 3.1.1.7.2 for additional processing considerations that apply.

If an error occurs while processing this operation, the server MUST return the appropriate SOAP fault for the particular error condition, as specified in section 3.3.4.1.8.