In a complex network with some trusted and untrusted forests, where users can use the accounts of various woods, there are problems with changing the password, the article http://www.kovanev.net/faq/vbs/164-vbs-3 describes a good script to reset your password. In my version redesigned with a request to WINNT LDAP to view subdomains, and adds the ability to work without authentication for users from untrusted forests.
On the Web server, do the following:
1. Create a folder, eg C:\ChangePass
2. In the folder create a file containing index.html (download index.html)
3. Create user for impersonate authentication, add user to NULL group, exclude from Domain Users
4. In the folder create a file containing cp.asp (download cp.asp), add user login, password, domain
5. Download LoginAdmin.dll or create your own article: "How to impersonate a user from Active Server Pages"
6. Register the dll, eg regsvr32.exe C:\ChangePass\LoginAdmin.dll
7. In IIS console to create a website "ChangePass", specify the folder "C:\ChangePass", configure Bindings, configure https, anonymous authentication
8. When you open the page, you will see:
UPD: In some cases, the need to provide for Identity "youruser" application pool
On the Web server, do the following:
1. Create a folder, eg C:\ChangePass
2. In the folder create a file containing index.html (download index.html)
<html> <head> <title>Change User Password</title> <!--BEGIN CALLOUT A--> <HTA:APPLICATION BORDER="thin" BORDERSTYLE="sunken" CAPTION="yes" MAXIMIZEBUTTON="yes" MINIMIZEBUTTON="yes" SCROLL="no" SHOWINTASKBAR="no" SYSMENU="yes" WINDOWSTATE="normal" /> <!--END CALLOUT A--> <script language=javascript> var sampleWidth = 300; var sampleHeight = 420; window.resizeTo(sampleWidth,sampleHeight); var screenPosX = screen.Width/2 - sampleWidth/2; var screenPosY = screen.Height/2 - sampleHeight/2; window.moveTo(800, 300); </script> </head> <body> <form action="cp.asp" method="post"> <!--BEGIN CALLOUT C--> <p><font size="3">Specify your username: </font></p><input type="text" name="T1" size="20"> <!--END CALLOUT C--> <p><font size="3">Enter your current password: </font></p><input type="password" name="T2" size="20"></p> <p><font size="3">Enter a new password: </font></p><input type="password" name="T3" size="20"></p> <p><font size="3">Re-enter new password: </font></p><input type="password" name="T4" size="20"></p> <!--BEGIN CALLOUT D--> <p><input type="Submit" value="Change password" name="B3" > <input type="button" value="Cancel" name="B6" onclick=self.close()></p> <!--END CALLOUT D--> </form> </body> </html>
3. Create user for impersonate authentication, add user to NULL group, exclude from Domain Users
4. In the folder create a file containing cp.asp (download cp.asp), add user login, password, domain
<%@ language="VBScript" %>
<%
Dim objLogon
Set objLogon = Server.CreateObject("LoginAdmin.ImpersonateUser")
objLogon.Logon "youruser", "yourpassword", "youruserdomain"
Set WShell = CreateObject("WScript.Shell")
on error resume next
Dim UserName
UserName = Request.Form("T1")
Const ADS_SCOPE_SUBTREE = 2
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 10000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.CommandText = _
"SELECT distinguishedName FROM 'LDAP://hq.contoso.com' WHERE objectCategory='user' " & _ "AND samaccountname = '" & username &"'" &""
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
strDN = objRecordSet.Fields("distinguishedName").Value
objRecordSet.MoveNext
Loop
Set User = GetObject("LDAP://" & strDN)
objLogon.Logoff
Set objLogon = Nothing
Dim NewPassword
Dim NewPassword2
Dim OldPassword
OldPassword = Request.Form("T2")
NewPassword = Request.Form("T3")
NewPassword2 = Request.Form("T4")
If Request.Form("T1") = "" Then
Response.Write("Username can't be empty!")
end if
If NewPassword<>NewPassword2 Then
Response.Write("ERROR. New passwords do not match.")
end if
if NewPassword=NewPassword2 then
Err.Clear
Call user.CHANGEPASSWORD (OldPassword, NewPassword)
If err.number = 0 Then
Response.Write("SUCCESS. New password has been saved.")
end if
If err.number = "-2147024810" Then
Response.Write("ERROR. Wrong password!")
end if
If err.number = "-2147022651" Then
Response.Write("ERROR. The new password does not meet the policy complexity and frequency of passwords!")
end if
end if
%>
5. Download LoginAdmin.dll or create your own article: "How to impersonate a user from Active Server Pages"
6. Register the dll, eg regsvr32.exe C:\ChangePass\LoginAdmin.dll
7. In IIS console to create a website "ChangePass", specify the folder "C:\ChangePass", configure Bindings, configure https, anonymous authentication
8. When you open the page, you will see:
This comment has been removed by the author.
ReplyDelete