ZENworker
asked on
AD Password Change via web
This may be a stupid questions but I've got a new AD implimentation and have created all the users with a user unique password that they know, but I've also set it to force a pw change at login. The only thing we have in this new domain is a SP 2007 web site (with servers and controllers), but we want to migrate a few thousand users after we get this issue solved. I'd like to point users to a website that would force them to change their AD pw and then pass them on to the SP site. I don't want to take the time to implement an IdM solution or a tree sync, I just want the users to enter the pw of their choice on non-AD PCs through a browser and at a very low cost and work. I've thought about a Kerberos server and a web part, but didn't want to take the time to learn it. Any ideas?
Thanks, ZENworker
Thanks, ZENworker
Last Comment
Actually, this may be a better choice:
http://store.bamboosolutions.com/ps-25-5-password-change-web-part-release-22.aspx
http://store.bamboosolutions.com/ps-25-5-password-change-web-part-release-22.aspx
ASKER
Thanks for the rapid feedback. I've spoke with and download the solution from Bamboo and I will try it in our lab. I think it is a great pw change solution after we get the egg before the chicken, but testing will show. What are your thoughts on iisadmpwd/achg.asp and http://support.microsoft.com/kb/833734? Is that better to handle that first MS login?
Thanks again,
Thanks again,
ASKER
I really, really, really want to force the initial pw change and that is the current direction I'm going. If I can get the user Creds back to AD, I can work everthing else out for future issues. I just need the first population.
Thanks,
Thanks,
If you force the PW change then you have no option but to log into the domain (as the user) to change it. As long as the atrribute is set for this the user cannot unset it without changing the password ON the domain.
Only the Admin can do this but the attribute still exists until turned off.
You can see what I mean pretty easily by trying th following:
1) Create a shortcut on your desktop to an application that the user should be able to run (DSA.MSC should work).
2) In the properties of the shortcut, click Advanced then select Run as different user.
3) Double click the shortcut and enter credentials for a user you have set to Change PW at next logon.
4) Results - you can't logon as that user.
The same problem would exist by any other means until the user actually logged on a changed their password. There's nothing stopping you from unchecking that box then forcing the password change in your code on the website. Just use a cookie to determine if it's been done the first time they visit.
Only the Admin can do this but the attribute still exists until turned off.
You can see what I mean pretty easily by trying th following:
1) Create a shortcut on your desktop to an application that the user should be able to run (DSA.MSC should work).
2) In the properties of the shortcut, click Advanced then select Run as different user.
3) Double click the shortcut and enter credentials for a user you have set to Change PW at next logon.
4) Results - you can't logon as that user.
The same problem would exist by any other means until the user actually logged on a changed their password. There's nothing stopping you from unchecking that box then forcing the password change in your code on the website. Just use a cookie to determine if it's been done the first time they visit.
ASKER
Great feedback. Imagine a workstation not on my network, but the user has an AD network login from me via an SSL VPN solution with an expired AD password. We can did deeper, but I believe it will just confuse the matter.
Thanks again
Thanks again
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
I went ahead and created a web based solution based on this: http://support.microsoft.com/kb/907271/en-us and got about 7K users passwords synced across an old and a new AD in the pasted 3 months. If youre looking at a solution like this and having problems with your machine passwords expiring Id take a look at http://support.microsoft.com/kb/154501 and consider changing or disabling the pw age through GPO. It is the same on XP.
Have fun!
Have fun!
Active Directory
Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.
86K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
If you uncheck Force User to change Password at next logon, then this could work.
This product might be a good fit:
http://www.namescape.com/Products/rDirectory/Community/Landing/?src=sbelt061023