none
Self service password reset web page

    Question

  • How can I create a self service password/unlock reset web page for active directory that asks the user 1 or 2 questions such as what is your zip/post code and telephone number then if they get it right reset or unlock the password.  Ideally the answers to the questions should come out of ad itself hence the zip/postcode phone number question.

     

    Thank you to anyone that can help with this

    Monday, July 26, 2010 6:19 PM

Answers

  • Save as ASP (or ASPX) page not html.

    For ASP pages you need to convert all the CreateObject and GetObject commands to Server.CreateObject and Server.GetObject....like so.

    'Get the username of the logged on user
    Set objNetwork = Server.CreateObject("WScript.Network")

    You may also need to remove this section...not sure.
    <HTA:APPLICATION
    APPLICATIONNAME="Reset Password"
    ID="ResetPassword"
    VERSION="1.0"/>

    http://technet.microsoft.com/en-us/library/ee176567.aspx

    HTML applications (HTA) require no special coding; you can create an HTA simply by changing the .asp file extension of a Web page to .hta. However, by adding the <HTA:Application> tag to the Web page code, you can gain additional control over how the HTA will be displayed on the screen and which elements of the user interface will be available. To configure any of these elements, include the <HTA:Application> tag and the appropriate elements within the Web page <HEAD> tag.

    • Marked as answer by Demon Knight Friday, August 06, 2010 7:49 AM
    Wednesday, July 28, 2010 3:32 PM

All replies

  • IISADMPWD does this already and has been around since Windows 2000...and its free.  The 2003/IIS6 version should work with 2008 AD, or you can try the workaround to get it to work directly on IIS7.

    http://www.comm-fu.com/iisadmpwd-on-server-2008-x64-and-iis7-change

    http://networkadminkb.com/kb/Knowledge%20Base/IIS/How%20to%20configure%20IISADMPWD%20in%20Windows%202003.aspx

    To add the 1 or 2 questions such as what is your zip/post code/telephone number etc, could be done fairly easily.  If the data already exists in AD, then you just query AD for that information...using the ASP code in  IISADMPWD as examples.  If the data is not avabailable in AD then you need to store in SQL or ACCESS databse and write code to query that as well....not to mention have the users popluate that information as well.

    Monday, July 26, 2010 7:24 PM
  • Thank, I had already looked at that solution, but what we need is something that asks them questions as in many cases they have forgotten the password.

     

     

    Tuesday, July 27, 2010 7:43 AM
  • This is an "AS IS" script and you are responsible for all maintenance and outcomes of this script and its actions.

    This HTA will present the user with two questions, what is your Zip code and telephone number. Then it will query AD for the logged in user and attempt to match the zip code and phone number stored in AD. If this works the users is presented with a password reset box and a button, after they push the button their password will be reset in AD.

    You can find a copy of this script here as well.

    <html>
    <head>
    <title>Reset Password</title>
    <HTA:APPLICATION
     APPLICATIONNAME="Reset Password"
     ID="ResetPassword"
     VERSION="1.0"/>
    </head>
    
    <script language="VBScript">
    Dim strDN
    Sub Window_OnLoad
    	Window.ResizeTo 500,300
    End Sub
    Sub start
    	Dim strPhone
    	strPhone = txtArea.value & "-" & txtPrefix.Value & "-" & txtExtension.Value
    	If Validate(txtZipCode.Value, "\d{5}") Then
    		If Validate(strPhone, "\d{3}\-\d{3}\-\d{4}") Then
    			AD_Query strPhone,txtZipCode.Value
    		Else
    			Window.Alert "Please enter a vaild phone number."
    			txtArea.value = ""
    			txtPrefix.Value = ""
    			txtExtension.Value = ""
    		End If
    	Else
    		Window.Alert "Please enter a five digit zipcode."
    		txtZipCode.Value = ""
    	End If
    End Sub
    
    Sub AD_Query(sPhone,sZip)
    	Dim objNetwork, objConnection, objCommand, objRootDSE, objResult, strUserName, strDNSDomain, strFilter, strQuery
    	' Get the username of the logged on user
    	Set objNetwork = CreateObject("WScript.Network")
    	strUserName = objNetwork.UserName
    	' Use ADO to search Active Directory.
    	Set objConnection = CreateObject("ADODB.Connection")
    	Set objCommand = CreateObject("ADODB.Command")
    	objConnection.Provider = "ADsDSOOBject"
    	objConnection.Open "Active Directory Provider"
    	Set objCommand.ActiveConnection = objConnection
    	
    	' Determine the DNS domain from the RootDSE object.
    	Set objRootDSE = GetObject("LDAP://RootDSE")
    	strDNSDomain = objRootDSE.Get("DefaultNamingContext")
    	' Setup filter and query
    	strFilter = "(&(objectCategory=person)(objectClass=user)(sAMAccountName=" & strUserName & "))"
    	strQuery = "<LDAP://" & strDNSDomain & ">;" & strFilter & ";CN,distinguishedName,postalcode,telephoneNumber;subtree"
    	objCommand.CommandText = strQuery
    	objCommand.Properties("Timeout") = 60
    	objCommand.Properties("Cache Results") = False
    	Set objResult = objCommand.Execute
    	strDN = objResult.Fields("distinguishedName")
    	If sZip = objResult.Fields("postalcode") Then
    		If sPhone = objResult.Fields("telephoneNumber") Then
    			DataArea.innerHTML = "Type a new password: <input type=""password"" name=""ResetPass"" id=""ResetPass"">" &_
    								 "<input type=""button"" name=""btnReset"" id=""btnReset"" value=""Reset"" style=""height:25px;width:70px"" onclick=""ResetPas strDN,ResetPass.Value"">"
    			btnStart.Disabled = True
    		Else
    			Window.Alert "The Telephone number does not match. This app will exit."
    			Self.close
    		End If
    	Else
    		Window.Alert "The Zip Code does not match. This app will exit."
    		Self.close
    	End If
    End Sub
    
    ' Reset the Password
    Sub ResetPas(dn,pass)
    	btnReset.Disabled = True
    	Set objUser = GetObject("LDAP://" & dn)
    	objUser.SetPassword pass
    	objUser.SetInfo
    	MsgBox "Your Password has been set."
    End Sub
    
    ' Validate to ensure only numbers where entered.
    Function Validate(strng, pattrn)
    	Dim objRegex, strPhone
    	Set objRegex = New RegExp
    	objRegex.Pattern = pattrn
    	If objRegex.Test(strng) Then
    		Validate = True
    	Else
    		Validate = False
    	End If
    End Function
    </script>
    
    <body bgcolor="white">
    <h>To reset your password please answer the questions below.<h>
    <p>
    <table width="100%" border="0">
    <td width="50%">
    <label>Please enter your five digit zip code:</label><br /><br />
    <label>Please enter your phone number:</label>
    </td>
    <td width="30%">
    <input type="text" size=5 maxlength=5 name="txtZipCode" id="txtZipCode"><br /><br />
    <input type="text" size=3 maxlength=3 name="txtArea" id="txtArea">-
    <input type="text" size=3 maxlength=3 name="txtPrefix" id="txtPrefix">-
    <input type="text" size=4 maxlength=4 name="txtExtension" id="txtExtension">
    </td>
    </table>
    <table width="100%" height=25% border="0">
    <td align="center">
    <Span id="DataArea"></Span>
    </td>
    </table>
    <input type="button" name="btnStart" id="btnStart" value="Check" style="height:25px;width:70px" onclick="Start">
    <input type="button" name="btnExit" id="btnExit" value="Exit" style="height:25px;width:70px" onclick="Self.Close()">
    </body>
    </html>

     

     

     


    v/r LikeToCode....Mark the best replies as answers.
    Tuesday, July 27, 2010 10:17 PM
  • Many thanks for the script but we need it as an html file so we can run it on IIS7

    Have tried it on iis 7 but it errors out on GetObject, on the activex control, it looks as if its not compatable with IIS7

    Is there any way it could be modified to work on IIS7 as this is all we have to run it on.

     

    Thanks

     

    Wednesday, July 28, 2010 2:46 PM
  • Save as ASP (or ASPX) page not html.

    For ASP pages you need to convert all the CreateObject and GetObject commands to Server.CreateObject and Server.GetObject....like so.

    'Get the username of the logged on user
    Set objNetwork = Server.CreateObject("WScript.Network")

    You may also need to remove this section...not sure.
    <HTA:APPLICATION
    APPLICATIONNAME="Reset Password"
    ID="ResetPassword"
    VERSION="1.0"/>

    http://technet.microsoft.com/en-us/library/ee176567.aspx

    HTML applications (HTA) require no special coding; you can create an HTA simply by changing the .asp file extension of a Web page to .hta. However, by adding the <HTA:Application> tag to the Web page code, you can gain additional control over how the HTA will be displayed on the screen and which elements of the user interface will be available. To configure any of these elements, include the <HTA:Application> tag and the appropriate elements within the Web page <HEAD> tag.

    • Marked as answer by Demon Knight Friday, August 06, 2010 7:49 AM
    Wednesday, July 28, 2010 3:32 PM
  • This is an HTA and is meant to run as a standalone, if a user needs to reset their pass then you can direct them to a network share where they can run this app and it will reset their password. As I said this is an as-is script, all of the VBS code will do what you need, it will be up to you to figure out how to make it work on in your environment. Or you can do what Gunner999 suggested which will allow you to add the two questions as well.


    v/r LikeToCode....Mark the best replies as answers.
    Wednesday, July 28, 2010 3:53 PM
  • Just want to thank everyone on the forum for helping us out, we got it working in our environment through a combination of the answers.

     

     

    Friday, August 06, 2010 7:50 AM
  • >> Then it will query AD for the logged in user and attempt to match the zip code and phone number stored in AD.

    That's very nice if the user who forgot their password is currently logged in and realizes he forgot his password.  I've never heard of that happening though.  Our help desk always gets calls from people who can not log in because they forgot their password.

    How about instead of querying AD for the logged in user, it asks three questions; zip code, phone number, and user name?

    Friday, August 06, 2010 2:31 PM
  • I modified my HTA script above to ask for a username and then use that value to authenticate them to AD instead of using the logged on username. This means that if they supply the wrong username and they know the answers to someone else’s username then they could reset their password. Also I don't know the format of your usernames (firstname.lastname or first initial & last name, etc.) so you will have to find a way to ensure the usernames are in the right format. This regex expression would match usernames of any length with numbers or letters and a period like john.smith.   ^([a-zA-Z0-9]{1,})\.([a-zA-Z0-9]{1,})$  You could then change this If txtUsername.Value = "" Then to this If Validate(txtUsername.Value, ^([a-zA-Z0-9]{1,})\.([a-zA-Z0-9]{1,})$  ") Then to validate that type of username.

     

     

    <html>
    <head>
    <title>Reset Password</title>
    <HTA:APPLICATION
     APPLICATIONNAME="Reset Password"
     ID="ResetPassword"
     VERSION="1.0"/>
    </head>
    
    <script language="VBScript">
    Dim strDN
    Sub Window_OnLoad
    	Window.ResizeTo 500,300
    End Sub
    Sub start
    	Dim strPhone
    	strPhone = txtArea.value & "-" & txtPrefix.Value & "-" & txtExtension.Value
    	'Check Username
    	If txtUsername.Value = "" Then
    		Window.Alert "Please enter a username to continue."
    	Else
    		'Validate zipcode
    		If Validate(txtZipCode.Value, "\d{5}") Then
    			'Validate Phone Number
    			If Validate(strPhone, "\d{3}\-\d{3}\-\d{4}") Then
    				'Start Password Reset
    				AD_Query strPhone,txtZipCode.Value,txtUsername.Value
    			Else
    				Window.Alert "Please enter a vaild phone number."
    				txtArea.value = ""
    				txtPrefix.Value = ""
    				txtExtension.Value = ""
    			End If
    		Else
    			Window.Alert "Please enter a five digit zipcode."
    			txtZipCode.Value = ""
    		End If
    	End If
    End Sub
    
    Sub AD_Query(sPhone,sZip, sUsername)
    	Dim objConnection, objCommand, objRootDSE, objResult, strUserName, strDNSDomain, strFilter, strQuery
    	' Trim the username of Leading and trailing whitespace
    	strUserName = Trim(sUsername)
    	' Use ADO to search Active Directory.
    	Set objConnection = CreateObject("ADODB.Connection")
    	Set objCommand = CreateObject("ADODB.Command")
    	objConnection.Provider = "ADsDSOOBject"
    	objConnection.Open "Active Directory Provider"
    	Set objCommand.ActiveConnection = objConnection
    	
    	' Determine the DNS domain from the RootDSE object.
    	Set objRootDSE = GetObject("LDAP://RootDSE")
    	strDNSDomain = objRootDSE.Get("DefaultNamingContext")
    	' Setup filter and query
    	strFilter = "(&(objectCategory=person)(objectClass=user)(sAMAccountName=" & strUserName & "))"
    	strQuery = "<LDAP://" & strDNSDomain & ">;" & strFilter & ";CN,distinguishedName,postalcode,telephoneNumber;subtree"
    	objCommand.CommandText = strQuery
    	objCommand.Properties("Timeout") = 60
    	objCommand.Properties("Cache Results") = False
    	Set objResult = objCommand.Execute
    	strDN = objResult.Fields("distinguishedName")
    	If sZip = objResult.Fields("postalcode") Then
    		If sPhone = objResult.Fields("telephoneNumber") Then
    			DataArea.innerHTML = "Type a new password: <input type=""password"" name=""ResetPass"" id=""ResetPass"">" &_
    								 "<input type=""button"" name=""btnReset"" id=""btnReset"" value=""Reset"" style=""height:25px;width:70px"" onclick=""ResetPas strDN,ResetPass.Value"">"
    			btnStart.Disabled = True
    		Else
    			Window.Alert "The Telephone number does not match. This app will exit."
    			Self.close
    		End If
    	Else
    		Window.Alert "The Zip Code does not match. This app will exit."
    		Self.close
    	End If
    End Sub
    
    ' Reset the Password
    Sub ResetPas(dn,pass)
    	btnReset.Disabled = True
    	Set objUser = GetObject("LDAP://" & dn)
    	objUser.SetPassword pass
    	objUser.SetInfo
    	MsgBox "Your Password has been set."
    End Sub
    
    ' Validate to ensure only numbers where entered.
    Function Validate(strng, pattrn)
    	Dim objRegex
    	Set objRegex = New RegExp
    	objRegex.Pattern = pattrn
    	If objRegex.Test(strng) Then
    		Validate = True
    	Else
    		Validate = False
    	End If
    End Function
    </script>
    
    <body bgcolor="white">
    <h>To reset your password please answer the questions below.<h>
    <p>
    <table width="100%" border="0">
    <td width="50%">
    <label>Please enter your Username:</label><br /><br />
    <label>Please enter your five digit zip code:</label><br /><br />
    <label>Please enter your phone number:</label>
    </td>
    <td width="30%">
    <input type="text" name="txtUsername" id="txtUsername"><br /><br />
    <input type="text" size=5 maxlength=5 name="txtZipCode" id="txtZipCode"><br /><br />
    <input type="text" size=3 maxlength=3 name="txtArea" id="txtArea">-
    <input type="text" size=3 maxlength=3 name="txtPrefix" id="txtPrefix">-
    <input type="text" size=4 maxlength=4 name="txtExtension" id="txtExtension">
    </td>
    </table>
    <table width="100%" height=25% border="0">
    <td align="center">
    <Span id="DataArea"></Span>
    </td>
    </table>
    <input type="button" name="btnStart" id="btnStart" value="Check" style="height:25px;width:70px" onclick="Start">
    <input type="button" name="btnExit" id="btnExit" value="Exit" style="height:25px;width:70px" onclick="Self.Close()">
    </body>
    </html>
    

     


    v/r LikeToCode....Mark the best replies as answers.
    Friday, August 06, 2010 3:48 PM
  • Hi everyone

    Hope it's OK to point you to a product my company represents but it does solve your problem i.e. a self service solution which resets users' passwords via a 2 factor authentication: secret questions and one time mobile phone verification codes.

    Feel free to try it out from:  http://www.codework.com/index.php/products/a-z/search/Specops

    More than happy to answer any questions if you have any on the product or on the general issue and problem!

    Margherita

     

     

    Wednesday, August 11, 2010 4:13 PM