Re: [ActiveDir] password changer

[Al Mulnick]

Yep, that's exactly how it's done.

As for an app that does this via web, there's one included with IIS
called IISADMPWD that has all kinds of information available to you. 
As for having problems with the changing of a password, you might have
a look at the error code returned to see if there's any information
you can use to adjust.

If you really want to be clever, you can write some code around the
input box on your web page that checks for the complexity
requirements.  This is not automagic, but rather manually set in the
code.  There are lots of examples on the web for doing just this using
a variety of languages, regular expressions, etc.  They typically
enforce the complexity before submitting the request to the DC.  This
is nice, but is not very useful when targeting password history.  For
that you'd want to trap the error code returned and see if you can do
something with it that way.

Al

P.S.
One note to consider: if possible, get away from using the WINNT
provider.  Eventually, it won't be useful to you and would cause you
to have to rewrite your code anyway.



On 12/16/05, Steve Rochford <[EMAIL PROTECTED]> wrote:
> Picking up on point 2 - if you run this via a web interface then you can use
> the setpassword approach (because it's not the user who's changing the
> password but the web application and that can be given admin credentials)
>
> Steve
>
> ________________________________
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> WILLIAMS, J.D.
> Sent: 01 December 2005 15:42
> To: 'ActiveDir@mail.activedir.org'
> Subject: RE: [ActiveDir] password changer
>
>
>
>
> #1:    Set objUser = GetObject("WinNT://<NetBios Domain Name>/" &
> txtUserID.Text & ",user")
>
>         objUser.ChangePassword txtOldPass.Text, txtPassword1.Text
>
>
>
> That is some code I pulled from an app to do a password change.  There is a
> lot of error control within that app that checks to make sure the password
> has been entered twice and is the same, that when it is attempted to be set,
> if it encounters an error it displays the constraints for complex passwords,
> etc.  But, the long and short of it is the above code can do the work as
> long as it has the right info in the variable fields.   In this case, I am
> using the sAMAccountName as pulled from txtUserID.Text field which asks the
> user to enter their login ID.
>
>
>
> If anyone knows how to query a password against complexity requirements, I'd
> like to know how.  I just look for the password set error and put up a
> general box of why password may fail.
>
>
>
> #2: From
> MSDN...http://msdn.microsoft.com/library/default.asp?url=/library/en-us/spptsdk/html/spsintroFAQ_SV01162303.asp
>
>
>
> You should modify your application to use a call to ChangePassword() rather
> than SetPassword(). The latter must run in the context of a domain
> administrator, because it does not require the current password to make a
> change. The former takes the current password and the new password as
> parameters and is able to verify that the user requesting the change has the
> right to make it.
>
>
>
> So, allowing the user to change their password without knowing what it is
> would only be insecure if you made all of your users Domain Admins!  :-0
>
>
>
> JD
> ________________________________
>
>
> From: Tom Kern [mailto:[EMAIL PROTECTED]
> Sent: Thursday, December 01, 2005 8:35 AM
> To: activedirectory
> Subject: [ActiveDir] password changer
>
>
>
>
> I'm trying a write a password changer in VBScript for endusers and I have 2
> questions-
>
>
>
>
>
> 1. All the examples i've seen, you have to enter the full DN. is there a way
> for the user to just enter their cn or sAMAccountName and change thier
> password in the domain?
>
>
>
>
>
>
>
>
> 2. is there a way to script a password changer that doesn't require a user
> to know their old password? I know this is really insecure but i'm just
> curious.
>
>
>
>
>
> Thanks
[EMAIL PROTECTED]       ��V�r�y�&��-�����4���i�b��b��