Fix deleted AD users from SharePoint

This is a small PowerShell script that will fix issues with removed SharePoint users. You may encounter problems if you remove an AD user but the later re-create it with the same AD user login. If such cases this script might help you with possible SharePoint issues. If this does not help then try to remove the user profile and run a full user profile synchronization and run the script again.


$sites = Get-SPSite http://portal.spdev.com

foreach ($site in $sites) {
$groups = $site.RootWeb.sitegroups
foreach ($group in $groups) {
foreach ($user in $group.users) {
# Skip All Authenticated Users, General groups
if ($user.userlogin -eq "c:0(.s|true" -or $user.userlogin -eq "c:0!.s|windows") {
continue;
}
if ($user.IsDomainGroup) {
# Skip Security Groups
}
else {
# Get user login
$splitline = $user.userlogin.split("\");
$samid = $splitline[1];
if ($user.userlogin.contains("AD domain name"))
{
if ($user.userlogin.contains("part of your login name")) {
Write-Host "user Found" $user.userlogin
$group.removeuser($user);
$site.RootWeb.SiteUsers.Remove($user.userlogin);
}
else {
Write-Host $user.userlogin
}
}
}
}
}
}

How to change SharePoint AD group names after the group name has changed in Active Directory

Well this is simple really, The code goes through each site collection, identifies groups coming from AD, then retrieves the same group using the SID value from Active Directory and updaes the SharePoint group name based on the value in the Active Directory.

param (
 [string]$SPSiteFilter = "Your application URL",
 [string]$SPADLoginNamePrefix = "c:0+.w|",
 [bool]$UseSAMAccountName = $true
 )

if ((Get-PSSnapin 'Microsoft.SharePoint.PowerShell' -ErrorAction SilentlyContinue) -eq $null){Add-PSSnapin 'Microsoft.SharePoint.PowerShell'}
 if (Get-Module -ListAvailable -Name ActiveDirectory) {
 Write-Host "ActiveDirectory Module exists"
 
} else {
 Write-Host "ActiveDirectory Module does not exist. This Script requires this module. Please check that the module is installed."
 Write-Host "To install the module through PowerShell you can use the following command:"
 Write-Host "Add-WindowsFeature RSAT-AD-PowerShell"
 return
}
 
 Import-Module ActiveDirectory
$spWebApp = Get-SPWebApplication $SPSiteFilter
foreach($site in $spWebApp.Sites)
 {
 Write-Host "Site: $($site.Url)"
 # Notice that the SPADLoginNamePrefix variable prefix is used to identify a AD group and also to parse the SID value
 $site.rootweb.siteusers | where { $_.IsDomainGroup -and $_.UserLogin.ToString().Contains($SPADLoginNamePrefix) } | %{
 
 
 $dispNameSplit = $_.UserLogin.ToString().Replace($SPADLoginNamePrefix, "")
 
 #Get the Account from AD to retrieve to correct name
 $adAccount = Get-ADGroup -Identity $dispNameSplit
 
 $newSPAccountDisplayName = ""
 #Modify the SharePoint Account DisplayName and Name based on the AD SamAccountName OR the Name 
 if($UseSAMAccountName -eq $true)
 { $newSPAccountDisplayName = $adAccount.SamAccountName }
 else
 { $newSPAccountDisplayName = $adAccount.Name }
 
 if($_.DisplayName -ne $newSPAccountDisplayName -or $_.Name -ne $newSPAccountDisplayName)
 {
 Write-Host "Changed SharePoint AD Group: $($_.DisplayName) to: $($newSPAccountDisplayName)"
 $_.DisplayName = $newSPAccountDisplayName
 $_.Name = $newSPAccountDisplayName
 $_.Update()
 } else
 {
 Write-Host "SharePoint AD Group name: $($_.DisplayName) is the same as in AD : $($newSPAccountDisplayName)"
 }
 $adAccount = $null
 }
 $site.Dispose();
}

C# .NET Getting Windows Directory File Permissions programmatically

Hi,

 

I while back I needed to do a security trim on files in a Windows file system based on returned search results by SharePoint search. Since in SharePoint 2010 search indexing does not know how to take into consideration file system rights for searches there was a need to do a security trimming based on what privileges you have in Active Directory and what you are given to the file itself.

Since there where alot of moving parts and hard to find out which classes and function where needed to actually do this specific task I finally found a source that gave a great sample how to do this:

http://www.conarc.com/blog/2010/03/25/programmatically-getting-effective-directoryfile-permissions/

Unfortunately the source above does not exist anymore for whatever reason. So for those who might need similar functionality through code here is the sample code from the link above and what you need class wise.

In the code below what you need is to call the following static function to check for if the user has certain privileges:

FileSystemRights rights = FileSystemEffectiveRights.GetRights(username, filelocation);

Then call the following function to test against the given file system privileges and what you want to user to have in the file system.
bool canReadExecute = rights.HasRights(FileSystemRights.ReadAndExecute);

 

Classes and enumeration needed for this functionality(there are many moving parts here and you might have to work with Active Directory and File System to test this code):

FileSystemRights Enumeration

FileSystemAccessRule Class

AccessControlType Enumeration

AuthorizationRuleCollection Class

SecurityIdentifier Class

FileSystemAccessRule Class

FileInfo Class

PrincipalContext Class

UserPrincipal Class

PrincipalSearcher Class

WindowsIdentity Class

 

Sample code – http://www.conarc.com/blog/2010/03/25/programmatically-getting-effective-directoryfile-permissions/ :

public static class FileSystemRightsEx
{
public static bool HasRights(this FileSystemRights rights, FileSystemRights testRights)
{
return (rights & testRights) == testRights;
}
}

public static class FileSystemEffectiveRights
{

public static FileSystemRights GetRights(string userName, string path)
{
if (string.IsNullOrEmpty(userName))
{
throw new ArgumentException(“UserName not defined!”);
}

//if (!Directory.Exists(path) && !File.Exists(path))
//{
// throw new ArgumentException(string.Format(“path: {0}”, path));
//}

return GetEffectiveRights(userName, path);
}

private static FileSystemRights GetEffectiveRights(string userName, string path)
{
FileSystemAccessRule[] accessRules = GetAccessRulesArray(userName, path);
FileSystemRights denyRights = 0;
FileSystemRights allowRights = 0;

for (int index = 0, total = accessRules.Length; index < total; index++)
{
FileSystemAccessRule rule = accessRules[index];

if (rule.AccessControlType == AccessControlType.Deny)
{
denyRights |= rule.FileSystemRights;
}
else
{
allowRights |= rule.FileSystemRights;
}
}

return (allowRights | denyRights) ^ denyRights;
}

private static FileSystemAccessRule[] GetAccessRulesArray(string userName, string path)
{
// get all access rules for the path – this works for a directory path as well as a file path
AuthorizationRuleCollection authorizationRules = (new FileInfo(path)).GetAccessControl().GetAccessRules(true, true, typeof(SecurityIdentifier));

// get the user’s sids
string[] sids = GetSecurityIdentifierArray(userName);

// get the access rules filtered by the user’s sids
return (from rule in authorizationRules.Cast<FileSystemAccessRule>()
where sids.Contains(rule.IdentityReference.Value)
select rule).ToArray();
}

private static string[] GetSecurityIdentifierArray(string userName)
{
// connect to the domain
PrincipalContext pc = new PrincipalContext(ContextType.Domain);

// search for the domain user
UserPrincipal user = new UserPrincipal(pc) { SamAccountName = userName };
PrincipalSearcher searcher = new PrincipalSearcher { QueryFilter = user };
user = searcher.FindOne() as UserPrincipal;

if (user == null)
{
throw new ApplicationException(string.Format(“Invalid User Name: {0}”, userName));
}

// use WindowsIdentity to get the user’s groups
WindowsIdentity windowsIdentity = new WindowsIdentity(user.UserPrincipalName);
string[] sids = new string[windowsIdentity.Groups.Count + 1];

sids[0] = windowsIdentity.User.Value;

for (int index = 1, total = windowsIdentity.Groups.Count; index < total; index++)
{
sids[index] = windowsIdentity.Groups[index].Value;
}

return sids;
}
}

Good to Know: Windows Server 2012 – Part 4

Hi this is my part four of resources for Windows Server 2012(and older ones also):

Add-DnsServerDirectoryPartition http://technet.microsoft.com/en-us/library/jj649942(v=wps.620).aspx
Add-DnsServerPrimaryZone http://technet.microsoft.com/en-us/library/jj649876(v=wps.620).aspx
Adding a Reverse Lookup Zone http://technet.microsoft.com/en-us/library/cc961414.aspx
Add-PswaAuthorizationRule http://technet.microsoft.com/en-us/library/jj592890(v=wps.620).aspx
Add-VMRemoteFx3dVideoAdapter http://technet.microsoft.com/en-us/library/hh848520(v=wps.620).aspx
Authorize a DHCP server in Active Directory http://technet.microsoft.com/en-us/library/cc759688(v=ws.10).aspx
Block Inheritance http://technet.microsoft.com/en-us/library/cc731076.aspx
Configure a Server Core Server with Sconfig.cmd http://technet.microsoft.com/en-us/library/jj647766.aspx
Configure Memory and Processors http://technet.microsoft.com/en-us/library/cc742470.aspx
Delegate Control of an Organizational Unit http://technet.microsoft.com/en-us/library/cc732524.aspx
Deploy Clustered Storage Spaces http://technet.microsoft.com/en-us/library/jj822937.aspx 
Deploying a GlobalNames Zone http://technet.microsoft.com/en-us/library/cc731744.aspx
Deploying Microsoft RemoteFX on a Single Remote Desktop Virtualization Host Server Step-by-Step Guide http://technet.microsoft.com/en-us/library/ff817586(v=ws.10).aspx
Deploying Network Load Balancing (NLB) and Virtual Machines on Windows Server 2008 R2 http://blogs.msdn.com/b/clustering/archive/2010/07/01/10033544.aspx
Deployment Image Servicing and Management Command-Line Options http://technet.microsoft.com/en-us/library/dd744382(v=ws.10).aspx
Dsadd http://technet.microsoft.com/en-us/library/cc753708(v=ws.10).aspx
Enable-VMRemoteFXPhysicalVideoAdapter http://technet.microsoft.com/en-us/library/hh848506(v=wps.620).aspx
Enforce a Group Policy Object Link http://technet.microsoft.com/en-us/library/cc753909.aspx
Evaluation Versions and Upgrade Options for Windows Server 2012 http://technet.microsoft.com/en-us/library/jj574204.aspx
Evaluation Versions and Upgrade Options for Windows Server 2012 http://technet.microsoft.com/en-us/library/jj574204.aspx
Get-DnsServerDiagnostics http://technet.microsoft.com/en-us/library/jj649883(v=wps.620).aspx
Grant a Member the Right to Logon Locally http://technet.microsoft.com/en-us/library/ee957044(v=ws.10).aspx
How to remove data in Active Directory after an unsuccessful domain controller demotion http://support.microsoft.com/kb/216498
How User Account Control Works http://technet.microsoft.com/en-us/library/jj574202.aspx
Hyper-V Dynamic Memory Configuration Guide http://technet.microsoft.com/en-us/library/ff817651(v=ws.10).aspx
Hyper-V Virtual Switch Explained, Part 2 http://www.altaro.com/hyper-v/hyper-v-virtual-switch-explained-part-2/ 
Hyper-V Virtual Switch Overview http://technet.microsoft.com/en-us/library/hh831823.aspx
ImageX Command-Line Options http://technet.microsoft.com/en-us/library/cc749447(v=ws.10).aspx
Install-PswaWebApplication http://technet.microsoft.com/en-us/library/jj592894(v=wps.620).aspx
Install-RemoteAccess http://technet.microsoft.com/en-us/library/hh918408(v=wps.620).aspx
Internet Protocol Version 6 Address Space http://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xml
Link a Group Policy Object http://technet.microsoft.com/en-us/library/cc732979.aspx
Loopback processing with merge or replace http://technet.microsoft.com/en-us/library/cc782810(v=ws.10).aspx
Manage Multiple, Remote Servers with Server Manager http://technet.microsoft.com/en-us/library/hh831456.aspx
Managing a Server Core installation: Overview http://technet.microsoft.com/en-us/library/ee441255(v=ws.10).aspx
Migrate Print and Document Services to Windows Server 2012 http://technet.microsoft.com/en-us/library/jj134150.aspx
Operations master roles http://technet.microsoft.com/en-us/library/cc773108(v=ws.10).aspx
Print and Document Services Overview http://technet.microsoft.com/en-us/library/hh831468.aspx
Remote Desktop Gateway Manager http://technet.microsoft.com/en-us/library/cc725706.aspx
Remove-ADComputer http://technet.microsoft.com/en-us/library/ee617250.aspx
Remove-WindowsFeature http://technet.microsoft.com/en-us/library/ee662310.aspx
Sc config http://technet.microsoft.com/en-us/library/cc990290(v=ws.10).aspx
Security Tools to Administer Windows Server 2012 http://technet.microsoft.com/en-us/library/jj730960.aspx
Set up recovery actions to take place when a service fails http://technet.microsoft.com/en-us/library/cc738230(v=ws.10).aspx
Set-BCAuthentication http://technet.microsoft.com/en-us/library/hh848404(v=wps.620).aspx
Set-DnsServer http://technet.microsoft.com/en-us/library/jj649845(v=wps.620).aspx
Set-DnsServerDsSetting http://technet.microsoft.com/en-us/library/jj649874.aspx
Set-DnsServerForwarder http://technet.microsoft.com/en-us/library/jj649887(v=wps.620).aspx
Set-DnsServerSetting http://technet.microsoft.com/en-us/library/jj649909.aspx
Set-GPPermissions http://technet.microsoft.com/en-us/library/ee461038.aspx
Set-WSManInstance http://technet.microsoft.com/en-us/library/hh849875.aspx
Set-WSManQuickConfig http://technet.microsoft.com/en-us/library/hh849867.aspx
Storage Pools… Dive right in! http://blogs.technet.com/b/canitpro/archive/2012/12/13/storage-pools-dive-right-in.aspx
Switching Between the GUI and Server Core in Windows Server 2012 http://www.petri.co.il/switching-gui-server-core-windows-server-2012.htm
Troubleshooting Windows Firewall with Advanced Security in Windows Server 2012 http://social.technet.microsoft.com/wiki/contents/articles/13894.troubleshooting-windows-firewall-with-advanced-security-in-windows-server-2012.aspx
Updating root hints http://technet.microsoft.com/en-us/library/cc758353(v=ws.10).aspx
Using System Configuration (msconfig) http://windows.microsoft.com/en-us/windows-vista/using-system-configuration
Using the Set-Service Cmdlet http://technet.microsoft.com/en-us/library/ee176963.aspx
Verifying Your Basic DNS Configuration http://technet.microsoft.com/en-us/library/cc959303.aspx
What’s New in Hyper-V for Windows Server 2012 http://technet.microsoft.com/en-us/library/hh831410.aspx
What’s New in Hyper-V for Windows Server 2012 http://technet.microsoft.com/en-us/library/hh831410.aspx
Windows and GPT FAQ http://msdn.microsoft.com/en-us/library/windows/hardware/gg463525.aspx

Good to Know: Windows Server 2012 – Part 3

Here is my newest sources of knowledge to Windows Server 2012 Administration:

Access-based Enumeration http://technet.microsoft.com/en-us/library/cc784710(v=ws.10).aspx
Active Directory Service Interfaces http://msdn.microsoft.com/en-us/library/windows/desktop/aa772170%28v=vs.85%29.aspx
Active Directory-Integrated DNS Zones http://technet.microsoft.com/en-us/library/cc731204(v=ws.10).aspx
AD DS Installation and Removal Wizard Page Descriptions http://technet.microsoft.com/en-us/library/hh831457.aspx
Add-Computer http://technet.microsoft.com/en-us/library/hh849798.aspx
Adding Disks to the Storage Pool http://technet.microsoft.com/en-us/library/ff399688.aspx
Add-NetLbfoTeamNic http://technet.microsoft.com/en-us/library/jj130850(v=wps.620).aspx
Add-NetSwitchTeamMember http://technet.microsoft.com/en-us/library/jj553811(v=wps.620).aspx 
Add-WindowsFeature http://technet.microsoft.com/en-us/library/ee662309.aspx 
Add-WindowsPackage http://technet.microsoft.com/en-us/library/hh852164.aspx
Add-VMNetworkAdapter http://technet.microsoft.com/en-us/library/hh848564(v=wps.620).aspx
Configure Memory and Processors http://technet.microsoft.com/en-us/library/cc742470.aspx
Configuring Pass-through Disks in Hyper-V http://blogs.technet.com/b/askcore/archive/2008/10/24/configuring-pass-through-disks-in-hyper-v.aspx
Configuring the Minimal Server Interface http://blogs.technet.com/b/server_core/archive/2012/05/09/configuring-the-minimal-server-interface.aspx
Create a Rule for Packaged Apps http://technet.microsoft.com/en-us/library/hh994588.aspx
Create a Spanned Volume http://technet.microsoft.com/en-us/library/cc772180.aspx
Dcdiag http://technet.microsoft.com/en-us/library/cc731968(v=ws.10).aspx
Delegate Control of an Organizational Unit http://technet.microsoft.com/en-us/library/cc732524.aspx
Desktop Experience Overview http://technet.microsoft.com/en-us/library/cc772567.aspx
DHCP Scopes http://technet.microsoft.com/en-us/library/cc726954(v=ws.10).aspx
DHCP Tools and Options http://technet.microsoft.com/en-us/library/dd145324(v=ws.10).aspx
DHCP: The server should be configured to send its default gateway to all clients http://technet.microsoft.com/en-us/library/ee941211(v=ws.10).aspx
Djoin http://technet.microsoft.com/en-us/library/ff793312(v=ws.10).aspx
Dsadd http://technet.microsoft.com/en-us/library/cc753708(v=ws.10).aspx
Dsquery http://technet.microsoft.com/en-us/library/cc732952(v=ws.10).aspx 
Enable and Configure MAC Address Filtering http://technet.microsoft.com/en-us/magazine/ff521761.aspx
Features Removed or Deprecated in Windows Server 2012 http://technet.microsoft.com/en-us/library/hh831568.aspx
FSMO placement and optimization on Active Directory domain controllers http://support.microsoft.com/kb/223346
Group scope http://technet.microsoft.com/en-us/library/cc755692(v=ws.10).aspx
Group types http://technet.microsoft.com/en-us/library/cc781446(v=ws.10).aspx
How manage Published (a.k.a Metro) Apps in Windows 8 using Group Policy http://www.grouppolicy.biz/2012/08/how-manage-published-a-k-a-metro-apps-in-windows-8-using-group-policy/
How to configure a connection to a virtual private network (VPN) in Windows XP http://support.microsoft.com/kb/314076/en-us
How to create and delete hidden or administrative shares on client computers http://support.microsoft.com/kb/314984
How to create the Central Store for Group Policy Administrative Template files in Windows Vista http://support.microsoft.com/kb/929841
How To Remove the Root Zone (Dot Zone) http://support.microsoft.com/kb/298148
How to View Printer Objects in Active Directory http://support.microsoft.com/kb/235925
Hyper-V Virtual Fibre Channel Overview http://technet.microsoft.com/en-us/library/hh831413.aspx
Install a New Windows Server 2012 Active Directory Forest http://technet.microsoft.com/en-us/library/jj574166.aspx
Installing AD DS by using Server Manager http://technet.microsoft.com/en-us/library/hh472162.aspx#BKMK_GUI
Installing Windows Server 2012 http://technet.microsoft.com/en-us/library/jj134246.aspx
Local Users and Groups Extension http://technet.microsoft.com/en-us/library/cc731972.aspx
Managed-By attribute http://msdn.microsoft.com/en-us/library/windows/desktop/ms676857(v=vs.85).aspx
Net services commands http://technet.microsoft.com/en-us/library/bb490949.aspx
Netsh Technical Reference http://technet.microsoft.com/en-us/library/cc725935(v=ws.10).aspx
New-ADComputer http://technet.microsoft.com/en-us/library/ee617245.aspx
New-NetSwitchTeam http://technet.microsoft.com/en-us/library/jj553814.aspx
NIC Teaming Overview http://technet.microsoft.com/en-us/library/hh831648.aspx
Redircmp http://technet.microsoft.com/en-us/library/cc770619(v=ws.10).aspx
Remote Management with Server Manager http://technet.microsoft.com/en-us/library/dd759202.aspx
Remove-NetLbfoTeam http://technet.microsoft.com/en-us/library/jj130848(v=wps.620).aspx
Restricted Groups http://technet.microsoft.com/en-us/library/cc957640.aspx
Restricted Groups http://technet.microsoft.com/en-us/library/cc957640.aspx 
Securing DNS zones http://technet.microsoft.com/en-us/library/cc755193.aspx
Set-NetAdapter http://technet.microsoft.com/en-us/library/jj130875(v=wps.620).aspx
Storage Spaces Overview http://social.technet.microsoft.com/wiki/contents/articles/15198.storage-spaces-overview.aspx
To rename the Administrator account using the Group Policy Management Console http://technet.microsoft.com/en-us/library/cc747484(v=ws.10).aspx
Understanding AppLocker Rules http://technet.microsoft.com/en-us/library/dd759068.aspx
Using WinRS http://technet.microsoft.com/en-us/library/dd163506.aspx
Verifying Your Basic DNS Configuration http://technet.microsoft.com/en-us/library/cc959303.aspx
What’s New in Hyper-V for Windows Server 2012 http://technet.microsoft.com/en-us/library/hh831410.aspx
Which ports do you need to open on a firewall to allow PPTP and L2TP over IPSec VPN tunnels? http://www.windowsitpro.com/article/pptp/which-ports-do-you-need-to-open-on-a-firewall-to-allow-pptp-and-l2tp-over-ipsec-vpn-tunnels–46811
Viewing advanced settings in Active Directory Users and Computers http://searchwindowsserver.techtarget.com/tip/Viewing-advanced-settings-in-Active-Directory-Users-and-Computers
Windows PowerShell 3.0 and Server Manager Quick Reference Guides http://www.microsoft.com/en-us/download/details.aspx?id=30002
Windows Server 2008 R2 and Windows Server 2008 http://technet.microsoft.com/en-us/library/dd349801(v=ws.10).aspx
Windows Server Installation Options http://technet.microsoft.com/en-us/library/hh831786(v=ws.11).aspx
Work with Software Restriction Policies Rules http://technet.microsoft.com/en-us/library/hh994597.aspx#BKMK_Cert_Rules

SharePoint Forms Based Authentication against Active Directory with password change

Hi,

In this post I am going to guide you through the steps necessary to setup a FBA against AD with the possibility to change your password. I will not write a step by step instructions how to do it BUT based on what I had to fight and solve I will post the best possible ways to do these steps to my knowledge:

1. The first step to do is to to configure your existing web application(or create a new one) to support claims authentication and to follow the steps to configure the AD support for the forms authentication.

Configure forms-based authentication for a claims-based web application in SharePoint 2013:
http://technet.microsoft.com/en-us/library/ee806890.aspx

Migrate from classic-mode to claims-based authentication in SharePoint 2013:
http://technet.microsoft.com/en-us/library/gg251985.aspx

Also for SQL Server Authentication if needed:

http://blogs.technet.com/b/ptsblog/archive/2013/09/20/configuring-sharepoint-2013-forms-based-authentication-with-sqlmembershipprovider.aspx

http://msdn.microsoft.com/en-us/library/gg252020(v=office.14).aspx

2. The second step is to create a custom sign in page to apply custom logic to the authentication phase like changing the password of a user:

A few examples how to do it:

https://www.nothingbutsharepoint.com/sites/devwiki/articles/pages/sharepoint-custom-sign-in-and-sign-out-page-.aspx

http://blogs.technet.com/b/speschka/archive/2010/07/22/writing-a-custom-forms-login-page-for-sharepoint-2010-part-2.aspx

http://tomaszrabinski.pl/wordpress/2011/06/23/sharepoint-2010-custom-login-page/

http://blogs.msdn.com/b/kaevans/archive/2010/07/09/creating-a-custom-login-page-for-sharepoint-2010.aspx

http://www.mssharepointtips.com/tip.asp?id=1093&page=2

3. The third step is to create the custom code to change the user password:

What you need to do:

An Active Directory user with delegated privileges to the OU or CN where the authenticated users reside. This user must have the privileges to reset and change passwords.

http://www.petri.co.il/delegate-permission-reset-ad-user-account-passwords.htm

http://support.microsoft.com/kb/296999

Make use of Secure Store Service in SP2010 to store the AD account and other information securely. Notice: When accessing the Secure Store Service from the sign in page the user that will be accessing the SSS is anonymous user. So what you need to do is to use SPSecurity.RunWithElevatedPrivileges delegate.

http://social.technet.microsoft.com/wiki/contents/articles/20110.sharepoint-retrieving-credentials-from-the-secure-store-application-using-c.aspx

http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.spsecurity.runwithelevatedprivileges.aspx

Implement the custom .NET code to change the password with impersonation so get access to the AD(notice that the user which runs the code is anonymous)

http://msdn.microsoft.com/en-us/library/w070t6ka%28v=vs.110%29.aspx

http://www.codeproject.com/Articles/18102/Howto-Almost-Everything-In-Active-Directory-via-C#1

http://msdn.microsoft.com/en-us/library/system.directoryservices.directoryentry(v=vs.110).aspx

NOTICE: I had problems using another set of .NET class and function to perform the change password trough code. Problems with authorization against AD:

http://msdn.microsoft.com/en-us/library/system.directoryservices.accountmanagement.authenticableprincipal.setpassword(v=vs.110).aspx

4. Bonus: How to get rid of the Mixed authentication selection page for internal users of the web application.

When you access a SharePoint application that has both Forms and Windows Authentication enabled for the application SharePoint will ask the users to select which authentication to use. This is not necessarily what you want internal users to see. Most probably the functionality required is so that the internal users logs in normally as if it is an intranet website.

The following code below is meant to be used for internal users who are not accessing the site through the forms sign in page. What you need to is to create a custom httpmodule and in the handler code below identify under which page you are and based on that to directly redirect the user to the front page of the website without asking users to choose which authentication method to use. Sample code(not the best but does the trick 🙂 ):

static void context_PreRequestHandlerExecute(object sender, EventArgs e)

        {

            HttpApplication httpApp = sender as HttpApplication;

            HttpContext context = httpApp.Context;

            string httpUrl = context.Request.Url.ToString().ToLower();

            var page = HttpContext.Current.CurrentHandler as Page;

            string previousPageUrl = context.Cache[CacheKey_LoginStatus] as String;

            String intranetURL = System.Configuration.ConfigurationManager.AppSettings[“authentication page in sharepoint app setting value, this is sharepoint specific sample(modify for your environment): http://localhost:46752/_windows/default.aspx?ReturnUrl=/_layouts/Authenticate.aspx?Source=/_windows/default.aspx&amp;Source=/_windows/default.aspx “%5D ?? null;

            Uri httpUrlURI = new Uri(httpUrl);

            String localhostCalculated = httpUrlURI.AbsoluteUri.Replace(httpUrlURI.PathAndQuery, String.Empty);

            try

            {

                if (context.Request != null && String.IsNullOrEmpty(intranetURL) == false)

                {

                    if (httpUrl.Contains(“/_layouts/closeconnection.aspx?loginasanotheruser=true”))

                    {

                        context.Response.Cookies.Add(new HttpCookie(CacheKey_LoginStatus, “true”));

                    }

                    if (httpUrl.Contains(“/_layouts/signout.aspx”))

                    {

                        context.Response.Cookies.Add(new HttpCookie(CacheKey_LoginStatus, “true”));

                    }

                    bool isSignOut = false;

                    Boolean.TryParse(context.Response.Cookies[CacheKey_LoginStatus].Value, out isSignOut);

                    if (isSignOut)

                    {

                        context.Response.Cookies.Remove(CacheKey_LoginStatus);

                        context.Response.Redirect(ConfigurationManager.AppSettings[“redirect page to somewhere else than the application app settings value this can be any page you want”]);

                    }

                    else if (httpUrl.Contains(localhostCalculated + “/_login/default.aspx”))

                    {

                        context.Response.Redirect(intranetURL);

                    }

                }

            }

            catch (Exception Ex)

            {

            }

            if (page == null) return;

            page.PreInit += page_PreInit;

        }

OR you could do something like the following link where you do a IP based functionality:

http://spautomaticsignin.codeplex.com/

Possible problem areas – Good to know:

Office documents:

Authentication requests when you open Office documents:
http://support.microsoft.com/kb/2019105
How documents are opened from a Web site in Office 2003:
http://support.microsoft.com/kb/838028

For Juniper VPNs:

[SSL VPN] Known Issues and limitations when accessing Microsoft SharePoint 2003 / 2007 / 2010 resources via the Web Rewrite Access mechanism:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB11501

[SSL VPN] Supported features and functionality of SharePoint 2010 when accessed via Secure Access SSL VPN’s Web/Rewrite access method:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB20085

Changing Active Directory user passwords in a .NET Web Application

Here are some tips on how to allow your web application to change passwords to Active Directory. There are several ways which all work in a similar but different way. This is one of them and what you need to take into consideration.

Here I will concentrate in the code logic and configurations what you need to take and do.

These are the following steps you need to take:

1. Create a web form for you password reset

2. Create a account with just enough privileges to set or reset user passwords

3. Impersonate this account and reset or set a new password under this password “admin” account

And a small sample code on how to change a password:

using (var context = new PrincipalContext(ContextType.Domain, “domain”, “username”, “password”))

 {

     using (var user = UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, “username whose password to change”))

      {

                                    user.SetPassword(“newpassword”);

//// or

                                    //user.ChangePassword(“oldPassword”, “newpassword”);

                                    user.Save();                                 

       }

}