3.4.5.2.6 Calling NetrServerPasswordSet2
The client MUST do the following:
Have a secure channel that is established with a domain controller in the domain that is identified by domain-name and pass its name as the PrimaryName parameter.
Encrypt<100> the ClearNewPassword parameter using the negotiated encryption algorithm (determined by bits C, O, or W, respectively, in the NegotiateFlags member of the ServerSessionInfo table entry for PrimaryName) and the session key established as the encryption key.
Pass a valid client Netlogon authenticator as the Authenticator parameter.
The ClearNewPassword parameter is constructed as follows, assuming a WCHAR-represented password of length X bytes.
If the password is for an interdomain account:
The password is copied into the Buffer field of ClearNewPassword, which is treated as an array of bytes, starting at byte offset (512 - X).
An NL_PASSWORD_VERSION structure as specified in section 2.2.1.3.8, is prepared. The PasswordVersionNumber field of the structure is set to the value of the TrustPasswordVersion variable corresponding to the password being set. The first trust password generated has TrustPasswordVersion equal to one. Each time a new trust password is generated, its TrustPasswordVersion is computed by adding one to the value of TrustPasswordVersion of the previous password. The NL_PASSWORD_VERSION structure is copied into ClearNewPassword.Buffer starting at byte offset (512 - X - size of (NL_PASSWORD_VERSION)).
The first (512 - X) - size of (NL_PASSWORD_VERSION) bytes of ClearNewPassword.Buffer are filled with randomly generated data.
ClearNewPassword.Length is set to X.
For any other type of account:<101>
The password is copied into the Buffer field of ClearNewPassword, which is treated as an array of bytes, starting at byte offset (512 - X).
The first (512 - X) bytes are filled with randomly generated data.
ClearNewPassword.Length is set to X.
After the method returns, the client MUST verify the ReturnAuthenticator, as defined in section 3.1.4.5.
On receiving STATUS_ACCESS_DENIED, the client SHOULD<102> re-establish the secure channel with the domain controller.