This documentation is archived and is not being maintained.

ActiveDirectoryMembershipProvider.ChangePasswordQuestionAndAnswer Method

Updates the password question and answer for a user in the Active Directory store.

Namespace:  System.Web.Security
Assembly:  System.Web (in System.Web.dll)

[DirectoryServicesPermissionAttribute(SecurityAction.Demand, Unrestricted = true)]
[DirectoryServicesPermissionAttribute(SecurityAction.InheritanceDemand, Unrestricted = true)]
[DirectoryServicesPermissionAttribute(SecurityAction.Assert, Unrestricted = true)]
public override bool ChangePasswordQuestionAndAnswer(
	string username,
	string password,
	string newPasswordQuestion,
	string newPasswordAnswer


Type: System.String
The user to change the password question and answer for.
Type: System.String
The password for the specified user.
Type: System.String
The new password question for the specified user.
Type: System.String
The new password answer for the specified user.

Return Value

Type: System.Boolean
true if the update was successful; otherwise, false. A value of false is also returned if the password is incorrect, the user is locked out, or the user does not exist in the Active Directory data store.


The administrator has not mapped the password question-and-answer fields to attributes of the Active Directory schema.


username is empty, or exceeds the maximum length for the user name (usually 256 characters).

- or -

username contains commas.

- or -

The user name is mapped to the userPrincipalName attribute and the username parameter contains backslashes.

- or -

password is a zero-length string.

- or -

password exceeds the maximum password length (usually 128 characters).

- or -

newPasswordQuestion is empty and the RequiresQuestionAndAnswer property value is true.

- or -

newPasswordQuestion exceeds 256 characters.

- or -

newPasswordAnswer exceeds 128 characters after the answer is encrypted.


username is null.

- or -

password is null.

- or -

newPasswordQuestion is null and RequiresQuestionAndAnswer property is true.

- or -

newPasswordAnswer is null and RequiresQuestionAndAnswer property is true.


The machineKey Element (ASP.NET Settings Schema) configuration element indicates an auto-generated machine encryption key. You must explicitly set the decriptionKey attribute of the machineKey Element (ASP.NET Settings Schema) element to store password answers with the ActiveDirectoryMembershipProvider.


The ChangePasswordQuestionAndAnswer method is called before the ActiveDirectoryMembershipProvider instance is initialized.

The method is called by the ActiveDirectoryMembershipUser class to update the password question and answer for a user in the Active Directory membership store.

Requiring a password question and answer provides an additional layer of security when resetting a user's password. When creating a user name, a user can supply a question and answer that can later be used to reset a forgotten password. The ChangePasswordQuestionAndAnswer method updates the password question and answer for a membership user to new values.

In order to use the ChangePasswordQuestionAndAnswer method, you must set these additional attributes in your application's configuration file:

  • requiresQuestionAndAnswer must be true.

  • attributeMapPasswordQuestion and attributeMapPasswordAnswer must be mapped to attributes in the Active Directory schema.

If the above criteria are not met, a ProviderException is thrown at initialization.

The ActiveDirectoryMembershipProvider instance connects to the Active Directory data store with the credentials provided in the username and password parameters to validate the user name/password combination. The actual update of the question and answer is performed with the configured connection credentials of the provider.

If an incorrect password is supplied to the ChangePasswordQuestionAndAnswer method, the directory server will increment the counters that track invalid password attempts. This can result in the user being locked and unable to log on until either the lock status is cleared by a call to the UnlockUser method or the locked duration specified in the directory passes.

If the update to the question and answer succeeds and the EnablePasswordReset property is true, the user's bad password answer tracking counters are reset.

The password answer is encrypted using the EncryptPassword method before it is stored in the Active Directory data store. The encryption key and algorithm are specified by the machineKey Element (ASP.NET Settings Schema) configuration element. The decryption attribute on the machineKey Element (ASP.NET Settings Schema) element must be specified, the ActiveDirectoryMembershipProvider class does not support auto-generated encryption keys.

The maximum length for the password question is 256 characters. The maximum length for the password answer is 128 characters.

Leading and trailing spaces are trimmed from all parameter values except for password.

The provider finds the user instance to update by performing a subtree search for the user name starting at the search point specified in the connection string. See the ActiveDirectoryMembershipProvider class topic for more information about connection strings.

.NET Framework

Supported in: 4, 3.5, 3.0, 2.0

Windows 7, Windows Vista SP1 or later, Windows XP SP3, Windows XP SP2 x64 Edition, Windows Server 2008 (Server Core not supported), Windows Server 2008 R2 (Server Core supported with SP1 or later), Windows Server 2003 SP2

The .NET Framework does not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements.