Change the Active Directory User Password Through SharePoint

July 12, 2011

Give the user control to manage their password through SharePoint.

When you want to use form based authentication for SharePoint authentication, one of the requirements could be that users can change their passwords from within SharePoint. Because this functionality is not OOTB available, you will need to create a custom web part or application page for it. Check what best matches your project requirements. The code behind it will be the same, and this is what will be covered in this blog post.

The assembly that will be used for changing the password is the following: System.DirectoryServices.AccountManagement.

When working with claims-based authentication (which is standard when form based authentication is configured), it is useful to add the following reference: Microsoft.SharePoint.Administration.Claims. This class can be used to encode and decode claims-based usernames.


The first thing you will do in your code, is retrieving the current logged on users its username. When working with claims-based authentication your usernames will look something like this: i:0#.f|admembership|user. Before you can search the corresponding user in your Active Directory environment, you will need to decode the claim prefix from the username. This can be done with the DecodeClaim method from the Microsoft.SharePoint.Administration.Claims class.

When you retrieved the username without the claims prefix, the corresponding Active Directory user can be searched. This can be done by the following code:

The only thing that is left, is to write the code for the password change.

To whole block looks like this:

As you can see there is not much code to be written so that the user can change their password.

When you are going to execute this code, it could give you the following error: Exception thrown by a target of invocation. To solve this error, you will need to give the application pool account delegate control permissions to change the user its password. The best way is setting these permissions to a particular Active Directory Organizational Unit.