when I run this code

PrincipalContext ctx = new PrincipalContext(ContextType.Domain,
                                                                adHost,
                                                                adRoot,
                                                                ContextOptions.SimpleBind,
                                                                adUsername,
                                                                adPassword);
UserPrincipal user = UserPrincipal.FindByIdentity(ctx, IdentityType.SamAccountName, username);
user.SetPassword(password);
user.Save();

I get this exception

System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.UnauthorizedAccessException: One or more input parameters are invalid

The code is running from a command line using "runas /user: (domainadminuser is also a local admin) The context is created using the same credentials (domainadminuser) I've checked that all usernames, passwords etc are populated correctly Is it something to do with the way I am creating the PrincipalContext?

I'm completely stuck. Does anyone have any ideas?

Thanks

[UPDATE] Here's the code I used to get it working. I think maybe the ValidateCredentials was the thing that kicked it into life (possibly)

PrincipalContext ctx = new PrincipalContext(ContextType.Domain, parameters["adHost"] );
ctx.ValidateCredentials(parameters["adUsername"], parameters["adPassword"], ContextOptions.SimpleBind);
UserPrincipal user = UserPrincipal.FindByIdentity(ctx, IdentityType.SamAccountName, username);
user.SetPassword(password);
user.Save();

Below is the code that works fine for a password request management system we developed in-house, do try and let me know:

PrincipalContext context = new PrincipalContext( ContextType.Domain, null, adAdminLogin, adAdminPassword );
UserPrincipal user = UserPrincipal.FindByIdentity( context, adUserLogin );
user.SetPassword( adUserNewPassword );

As far as Active-Directory is concerned with the Standard LDAP protocol the simple bind without SSL not allow to change any password. Clearly here you are using classes that can communicate with your server using non standard protocol, but your SimpleBind context option can switch to standard LDAP. have a look to @CodeCanvas code.

When the Context is created, make sure to set the ContextOptions to ContextOptions.Negotiate . If you have mentioned ContextOptions.SimpleBind, SetPassword may not work.

PrincipalContext oPrincipalContext = 
   new PrincipalContext (ContextType.Domain, "Name", "DefaultOU(if required)", 
   ContextOptions.Negotiate, "Service Account(if required)", 
   "Service password");