In a complex network with some trusted and untrusted forests, where users can use the accounts of various woods, there are problems with changing the password, the article http://www.kovanev.net/faq/vbs/164-vbs-3 describes a good script to reset your password. In my version redesigned with a request to WINNT LDAP to view subdomains, and adds the ability to work without authentication for users from untrusted forests.
On the Web server, do the following:
1. Create a folder, eg C:\ChangePass
2. In the folder create a file containing index.html (
download index.html)
<html>
<head>
<title>Change User Password</title>
<!--BEGIN CALLOUT A-->
<HTA:APPLICATION
BORDER="thin"
BORDERSTYLE="sunken"
CAPTION="yes"
MAXIMIZEBUTTON="yes"
MINIMIZEBUTTON="yes"
SCROLL="no"
SHOWINTASKBAR="no"
SYSMENU="yes"
WINDOWSTATE="normal" />
<!--END CALLOUT A-->
<script language=javascript>
var sampleWidth = 300;
var sampleHeight = 420;
window.resizeTo(sampleWidth,sampleHeight);
var screenPosX = screen.Width/2 - sampleWidth/2;
var screenPosY = screen.Height/2 - sampleHeight/2;
window.moveTo(800, 300);
</script>
</head>
<body>
<form action="cp.asp" method="post">
<!--BEGIN CALLOUT C-->
<p><font size="3">Specify your username: </font></p><input type="text" name="T1" size="20">
<!--END CALLOUT C-->
<p><font size="3">Enter your current password: </font></p><input type="password" name="T2" size="20"></p>
<p><font size="3">Enter a new password: </font></p><input type="password" name="T3" size="20"></p>
<p><font size="3">Re-enter new password: </font></p><input type="password" name="T4" size="20"></p>
<!--BEGIN CALLOUT D-->
<p><input type="Submit" value="Change password" name="B3" >
<input type="button" value="Cancel" name="B6" onclick=self.close()></p>
<!--END CALLOUT D-->
</form>
</body>
</html>
3. Create user for impersonate authentication, add user to NULL group, exclude from Domain Users
4. In the folder create a file containing cp.asp (
download cp.asp), add user login, password, domain
<%@ language="VBScript" %>
<%
Dim objLogon
Set objLogon = Server.CreateObject("LoginAdmin.ImpersonateUser")
objLogon.Logon "youruser", "yourpassword", "youruserdomain"
Set WShell = CreateObject("WScript.Shell")
on error resume next
Dim UserName
UserName = Request.Form("T1")
Const ADS_SCOPE_SUBTREE = 2
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 10000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.CommandText = _
"SELECT distinguishedName FROM 'LDAP://hq.contoso.com' WHERE objectCategory='user' " & _ "AND samaccountname = '" & username &"'" &""
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
strDN = objRecordSet.Fields("distinguishedName").Value
objRecordSet.MoveNext
Loop
Set User = GetObject("LDAP://" & strDN)
objLogon.Logoff
Set objLogon = Nothing
Dim NewPassword
Dim NewPassword2
Dim OldPassword
OldPassword = Request.Form("T2")
NewPassword = Request.Form("T3")
NewPassword2 = Request.Form("T4")
If Request.Form("T1") = "" Then
Response.Write("Username can't be empty!")
end if
If NewPassword<>NewPassword2 Then
Response.Write("ERROR. New passwords do not match.")
end if
if NewPassword=NewPassword2 then
Err.Clear
Call user.CHANGEPASSWORD (OldPassword, NewPassword)
If err.number = 0 Then
Response.Write("SUCCESS. New password has been saved.")
end if
If err.number = "-2147024810" Then
Response.Write("ERROR. Wrong password!")
end if
If err.number = "-2147022651" Then
Response.Write("ERROR. The new password does not meet the policy complexity and frequency of passwords!")
end if
end if
%>
5.
Download LoginAdmin.dll or create your own article:
"How to impersonate a user from Active Server Pages"
6. Register the dll, eg regsvr32.exe C:\ChangePass\LoginAdmin.dll
7. In IIS console to create a website "ChangePass", specify the folder "C:\ChangePass", configure Bindings, configure https, anonymous authentication
8. When you open the page, you will see:
UPD: In some cases, the need to provide for Identity "youruser" application pool