RE: [ActiveDir] password changer

[Grillenmeier, Guido]

but making all users Domain Admins would really simplify your overall management - you would never have to worry about security again and wouldn't have to setup all those useless and complex delegated admin permissions either :-)   P.S.: the minimal permission required to set instead of change a PW is "Reset Password". It often makes sense to combine this with granting "Write lockoutTime" and "Write pwdLastSet" if you want to grant the rights to a helpdesk admin who would reset the PW in place of the user, so that he can also unlock the account and set the "User must change PW at next logon" flag.    If you have some service that would perform the task of resetting the PW for a user, then you only need to grant it the "Reset Password", however, you have to add your own control mechanism so that user A can't simply reset the password for user B by entering user B's name into the PW reset app... This is where other apps that perform the same task have an extra database to query some other "secret" of the user, such as favorite author etc.  Often these secrets are stored encrypted in an SQL DB - but AD could serve as the store just as well (also in encrypted format).   /Guido   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WILLIAMS, J.D. Sent: Donnerstag, 1. Dezember 2005 16:42 To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] password changer #1:    Set objUser = GetObject("WinNT://<NetBios Domain Name>/" & txtUserID.Text & ",user")         objUser.ChangePassword txtOldPass.Text, txtPassword1.Text   That is some code I pulled from an app to do a password change.  There is a lot of error control within that app that checks to make sure the password has been entered twice and is the same, that when it is attempted to be set, if it encounters an error it displays the constraints for complex passwords, etc.  But, the long and short of it is the above code can do the work as long as it has the right info in the variable fields.   In this case, I am using the sAMAccountName as pulled from txtUserID.Text field which asks the user to enter their login ID.   If anyone knows how to query a password against complexity requirements, I'd like to know how.  I just look for the password set error and put up a general box of why password may fail.   #2: From MSDN...http://msdn.microsoft.com/library/default.asp?url="">   You should modify your application to use a call to ChangePassword() rather than SetPassword(). The latter must run in the context of a domain administrator, because it does not require the current password to make a change. The former takes the current password and the new password as parameters and is able to verify that the user requesting the change has the right to make it.   So, allowing the user to change their password without knowing what it is would only be insecure if you made all of your users Domain Admins!  :-0   JD From: Tom Kern [mailto:[EMAIL PROTECTED] Sent: Thursday, December 01, 2005 8:35 AM To: activedirectory Subject: [ActiveDir] password changer   I'm trying a write a password changer in _vbscript_ for endusers and I have 2 questions-   1. All the examples i've seen, you have to enter the full DN. is there a way for the user to just enter their cn or sAMAccountName and change thier password in the domain?     2. is there a way to script a password changer that doesn't require a user to know their old password? I know this is really insecure but i'm just curious.   Thanks