Forgot Active Directory Password Script in .NET

I'm working on a web based "Forgot Password" to reset AD passwords, using LDAP. Well, I can unlock the user, but not change the password.

Here is my function :

Private Function ChangeLocalUserPassword(ByVal User As String, ByVal Pass As String) As Boolean
    Dim pinger As New Net.NetworkInformation.Ping
    Dim usr As DirectoryEntry
    _de = GetDirectoryEntry()

    If _de Is Nothing Then
        'couldn't con开发者_运维知识库nect or find account
        MsgBox("_de is Nothing")
        Return False
    End If
    Try
        usr = _de.Children.Find("CN=" & User, "User")
    Catch ex As Exception
        MsgBox("User could not be found!")
        Return False
    End Try
    Try
        usr.Invoke("SetPassword", Pass)
        usr.CommitChanges()
        usr.Properties("LockOutTime").Value = 0
        usr.CommitChanges()
    Catch ex As Exception
        MsgBox("Error is " & ex.Message)
        Return False
    End Try

End Function

Here is my GetDirectoryEntry Function :

 Private Function GetDirectoryEntry() As DirectoryEntry
        Dim dirEntry As DirectoryEntry = New DirectoryEntry()
        dirEntry.Path = "LDAP://<SERVER>/ou=<OU>,dc=<DOMAIN>"
        dirEntry.Username = "<DOMAIN>\Administrator"          
        dirEntry.Password = "<PASSWORD>"
        Return dirEntry
    End Function

A side question - Anyone suggest to me, how I can get around hard coding the Admin user on the page? Would creating an IUSR with a few Admin privileges work?

Any help is appreciated!

Try this, I went through this on a Lightweight Directory services implementation of AD.

Set password for active directory lightweight directory services (ad lds) on .net 2.0

Basically you have to create the entry first then set the password.

To reset password PwdLastSet is the key attribute. If the value of PwdLastSet is set to zero then the user must change their password when they logon agin (see article).

For your side question :

Create a new user in Active-Directory.

In the target Organizational Unit, or directly on the domain container, you just have to delegate the right of reseting the password to the new user. So your application manipulate just a user and password that is just allowed to reset password.

Create a group in AD, Create a User, delegate the password change option to the group, usually done at the OU level. This is how most organizations do this when having a help desk functionality.
http://www.windowsecurity.com/articles/Implementing-Active-Directory-Delegation-Administration.html