3.4.5.2.7 Calling NetrServerPasswordSet
The client MUST do the following:
Have a secure channel established with a DC in the domain identified by domain-name and pass its name as the PrimaryName parameter.
Pass the encrypted new password:
Compute the NTOWFv1 ([MS-NLMP] section 3.3.1) of the new password.
Encrypt ([MS-SAMR] section 2.2.11.1.1) the result of step 1 using the Session-Key for the secure channel as the specified key.
Pass the result of step 2 as the UasNewPassword parameter.
Pass a valid client Netlogon authenticator as the Authenticator parameter.
After the method returns, the client MUST verify the ReturnAuthenticator, as defined in section 3.1.4.5.
On receiving STATUS_ACCESS_DENIED, the client SHOULD<103> re-establish the secure channel with the domain controller.