The original Password Change functionality used HTRs, and there was a buffer overflow vulnerability in the ISAPI Extension that handled HTRs (ism.dll). There's a download on the MS Downloads page that substitutes ASP pages:
http://support.microsoft.com/?id=331834 Change password functionality replaced with Active Server Pages Cheers Ken : -----Original Message----- : From: [EMAIL PROTECTED] [mailto:ActiveDir- : [EMAIL PROTECTED] On Behalf Of joe : Sent: Saturday, 27 August 2005 5:08 PM : To: ActiveDir@mail.activedir.org : Subject: FW: [Fwd: RE: [ActiveDir] Password policy change] : : >From a "shy" lurker MVP.... : : It appears it is something you can enable. It isn't strictly part of OWA : but : the old IIS Password change tool. I recall there being issues with that : tool : and that is why they stopped enabling it by default but can't recall what : they were this late at night or this early in the morning whatever it may : be. ;o) : : Thanks for the assist Mom. :) : : : : -----Original Message----- : Sent: Saturday, August 27, 2005 2:24 AM : To: [EMAIL PROTECTED] : Subject: [Fwd: RE: [ActiveDir] Password policy change] : : http://www.petri.co.il/enable_password_changing_through_owa_in_exchange_20 : 03 : .htm : : : -------- Original Message -------- : Subject: RE: [ActiveDir] Password policy change : Date: Sat, 27 Aug 2005 02:16:14 -0400 : From: joe <[EMAIL PROTECTED]> : Reply-To: ActiveDir@mail.activedir.org : To: <ActiveDir@mail.activedir.org> : : : : Yep, OWA is Outlook Web Access. If you haven't seen it, it is gorgeous in : Exchange 2003. It looks almost exactly like Outlook. Unfortunately, if : your : password is expired (forced or otherwise) you aren't getting into OWA. I : also don't believe it has a password change function if you just want to : go : and change it, but that could be something that could be enabled. : Alternatively you set up another web page to do it. : : As for the OPs original issue. It all comes down to implementation. You : told : the system to not allow people to change the password if the password age : was less than one day and then were confused when it did exactly that. The : reason for it is that there is one attribute for password age, pwdLastSet, : and it doesn't distinguish between a helpdesk set operation or a normal : password change, they are both password changes and you only want one day : between every change. The proper way to handle that case is to force the : user's to change their password on next logon (which sets the pwdLastSet : to : 0), but as you know, that will kill OWA users. So you either need another : process to follow for OWA only users, install some third party or custom : inhouse tool, or drop the minimum password aging. : : joe : : : -----Original Message----- : From: [EMAIL PROTECTED] : [mailto:[EMAIL PROTECTED] On Behalf Of SysPro Support : Sent: Saturday, August 27, 2005 12:09 AM : To: ActiveDir@mail.activedir.org : Subject: Re: [ActiveDir] Password policy change : : Your right Aaron, I didn't know what it meant.! : : I am not an outlook sort of person (we use Notes...), but the inferred : statement surprises me. It suggests that if the "must change password" is : set, you can't logon to Outlook Web Access. : : This would suggest that forcing users to change password after (say) 28 : days : is also a no-no. : : And, it would also suggest that Outlook Web Access won't let you change : your : password. If it did, it would surely allow you to logon, then require you : to : change the password before you do anything.. : : This all seems unlikely, given Microsoft's recommended use of forcing : password changes on a regular basis and forcing users to change a password : when a new user is created. : : If it is all true, maybe you have to provide some way that the users can : go : to a Citrix portal and change their password there, then go back and use : Outlook Web Access. : : Alan Cuthbertson : : : Policy Management Software:- : http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml : ADM Template Editor:- : http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml : Policy Log Reporter(Free) : http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml : : : : : ----- Original Message ----- : From: "Aaron Visser" <[EMAIL PROTECTED]> : To: <ActiveDir@mail.activedir.org> : Sent: Saturday, August 27, 2005 8:59 AM : Subject: Re: [ActiveDir] Password policy change : : : Nevermind OWA = Outlook Web Access : : : On 8/26/05 3:39 PM, "Figueroa, Johnny" <[EMAIL PROTECTED]> : wrote: : : > : > I mean, if I use the check box to "user must change password at next : logon" : > our users whose only way into the domain is OWA will not prompt them : > to : change : > their password... Unless I am missing something. : > : > Thanks : > : > -----Original Message----- : > From: [EMAIL PROTECTED] : > [mailto:[EMAIL PROTECTED] On Behalf Of SysPro : > Support : > Sent: Friday, August 26, 2005 3:19 PM : > To: ActiveDir@mail.activedir.org : > Subject: Re: [ActiveDir] Password policy change : > : > Johnny, : > : > We do exactly what you suggest, change the password and set the "user : > must change password at next logon" and they are able to change it, : > even within : the : > "password cannot be changed period". : > : > What do you mean by "that would effectively lock out the OWA only : users"? : > : > : > Alan Cuthbertson List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/