none
Allow users to change AD user password via web page?

    Question

  • We do not have an Exchange server on our  domain, so changing their local domain user password with Outlook Web Access is not an option.
    I saw this page when I did a search:
    http://technet.microsoft.com/en-us/library/cc720655(WS.10).aspx#bkm3

    We will think about that solution, but it is for only Server 2003 and IIS 6.0 and are considering moving to Server 2008 soon (likely before release of R2).

    What would be the easiest, free, way to setup a webpage that allows users to change their domain passwords from machines that cannot be joined to our domain or when they are out of the office?  They do not have access to login to the domain remotely via VPN, but we can have one webserver accessible to them remotely via standard ports 80 and 443.
    We are looking for a free or low cost solution. 
    It would be really great if the users are still able to change their passwords even if the password is already expired, but even if not, it would be better than nothing.
    • Changed type David Shen Friday, June 05, 2009 10:36 AM
    Thursday, June 04, 2009 11:05 PM

Answers

  • Your best bet is to write a custom webpage and a custom script which changes a user's password.
    Only problem you would have is how to authenticate them to the webpage you write, I imagine if they want to reset their password then they don't know what it is.
    Here is a script which does what you want, which you could easily call from a webpage:

    ' SetPassword .vbs
    ' --------------------------------------------------------------' 
    Option Explicit
    Dim objOU, objUser, objRootDSE
    Dim strContainer, strDNSDomain, strPassword 
    
    ' Bind to Active Directory Domain
    Set objRootDSE = GetObject("LDAP://RootDSE") 
    strDNSDomain = objRootDSE.Get("DefaultNamingContext") 
    
    ' -------------------------------------------------------------'
    ' Important change OU= to reflect your domain
    ' -------------------------------------------------------------'
    strContainer = "OU=Accounts, "
    strPassword = "P@ssw0rd"
    strContainer = strContainer & strDNSDomain
    
    ' Loop through OU=, setting passwords for all users
    set objOU =GetObject("LDAP://" & strContainer )
    For each objUser in objOU
    If objUser.class="user" then
    objUser.SetPassword strPassword
    objUser.SetInfo
    End If
    Next 
    
    WScript.Quit 


    Terry http://www.sucked-in.com
    • Marked as answer by David Shen Tuesday, June 09, 2009 9:54 AM
    Thursday, June 04, 2009 11:45 PM

All replies

  • I looked more closely at the details at the link above and just realized it requires MIIS that sells for about $15,000 per server. 
    So, that's not an option at all and we are looking for a different solution.
    Thursday, June 04, 2009 11:21 PM
  • Your best bet is to write a custom webpage and a custom script which changes a user's password.
    Only problem you would have is how to authenticate them to the webpage you write, I imagine if they want to reset their password then they don't know what it is.
    Here is a script which does what you want, which you could easily call from a webpage:

    ' SetPassword .vbs
    ' --------------------------------------------------------------' 
    Option Explicit
    Dim objOU, objUser, objRootDSE
    Dim strContainer, strDNSDomain, strPassword 
    
    ' Bind to Active Directory Domain
    Set objRootDSE = GetObject("LDAP://RootDSE") 
    strDNSDomain = objRootDSE.Get("DefaultNamingContext") 
    
    ' -------------------------------------------------------------'
    ' Important change OU= to reflect your domain
    ' -------------------------------------------------------------'
    strContainer = "OU=Accounts, "
    strPassword = "P@ssw0rd"
    strContainer = strContainer & strDNSDomain
    
    ' Loop through OU=, setting passwords for all users
    set objOU =GetObject("LDAP://" & strContainer )
    For each objUser in objOU
    If objUser.class="user" then
    objUser.SetPassword strPassword
    objUser.SetInfo
    End If
    Next 
    
    WScript.Quit 


    Terry http://www.sucked-in.com
    • Marked as answer by David Shen Tuesday, June 09, 2009 9:54 AM
    Thursday, June 04, 2009 11:45 PM
  • That would set the users password to whatever you put in the script.
    I was looking for a web page were the user changes their own password like they can with OWA, but without needing an Exchange server and OWA to make it work.
    Saturday, June 06, 2009 7:05 AM
  • Hello,

    You best option is to write a simple IIS web application that uses LDAP to authenticate against Active Directory. Users login such as domain\UserName and enter current pasword, if expired, prompt for change\new password. etc. It can be really simple, ifyou have the time.
    Isaac Oben MCITP:EA, MCSE
    • Marked as answer by David Shen Tuesday, June 09, 2009 9:53 AM
    • Unmarked as answer by MyGposts Tuesday, June 09, 2009 3:57 PM
    Saturday, June 06, 2009 8:19 PM
  • I haven't been able to find anything like that.
    I did find a Sharepoint webpart that allows users to change their passwords, but it cannot handle an expired password.
    http://codeplex.com/ChangePassword

    It only allows them to change the password before it expires, so it has limited usefulness.
    Once the password expires, they have to call the help desk to change the password for them.
    If the help desk sets the password, the helpdesk cannot check the box requiring the user to change the password on next logon or the users can't change it (because it is expired).  Because of minimum password age policy, the user can't set their own password until the next day. The whole situation is a chicken and egg circular problem that I'm surprised has no solution.
    Our situation of some domain users using computers off of our domain is not the norm, but it isn't all that rare either.


    I'm still trying to find a way that users are able to change an expired password.
    • Edited by MyGposts Tuesday, June 09, 2009 4:00 PM
    Tuesday, June 09, 2009 3:56 PM
  • We use PowerShell for this!

    http://deployhappiness.com/reset-user-passwords-with-ad-self-service-portal/

    Users can use text messages to reset their password. Their phone is linked to their account which provides an extra layer of security. Best of all - it's free!


    If my answer helped you, check out my blog: DeployHappiness. Subscribe by RSS or email. 

    Monday, May 13, 2013 3:10 PM