Fix win_user issue with disabled accounts/expired passwords

Disabled and password-expired accounts cannot call ValidatePassword successfully

fixed #4369
This commit is contained in:
nitzmahone 2016-09-11 20:41:54 -07:00 committed by Matt Clay
parent ad707c2724
commit 915b59a6d5

View file

@ -137,8 +137,16 @@ If ($state -eq 'present') {
[void][system.reflection.assembly]::LoadWithPartialName('System.DirectoryServices.AccountManagement') [void][system.reflection.assembly]::LoadWithPartialName('System.DirectoryServices.AccountManagement')
$host_name = [System.Net.Dns]::GetHostName() $host_name = [System.Net.Dns]::GetHostName()
$pc = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext 'Machine', $host_name $pc = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext 'Machine', $host_name
# ValidateCredentials fails if PasswordExpired == 1
If (!$pc.ValidateCredentials($username, $password)) { # ValidateCredentials will fail if either of these are true- just force update...
If($user_obj.AccountDisabled -or $user_obj.PasswordExpired) {
$password_match = $false
}
Else {
$password_match = $pc.ValidateCredentials($username, $password)
}
If (-not $password_match) {
$user_obj.SetPassword($password) $user_obj.SetPassword($password)
$result.changed = $true $result.changed = $true
} }