Microsoft KB Archive/184619

= How to Change Windows NT Account Passwords Using Internet Information Server (IIS) 4.0 =

Article ID: 184619

Article Last Modified on 8/12/2005

-

APPLIES TO


 * Microsoft Internet Information Server 4.0
 * Microsoft Active Directory Service Interfaces 2.5

-



This article was previously published under Q184619



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx



SUMMARY
This article describes how to configure Internet Information Server (IIS) so that users can change their Windows NT passwords.

NOTE: Changing a password over the Internet is a potential security risk.



MORE INFORMATION
To configure IIS so users can change their Windows NT passwords, you can use either the IISADMPWD virtual directory or the Microsoft Active Directory Service Interfaces (ADSI) provided with IIS.

Using the built-in support:

IIS 4.0 ships with the ability to allow users to change their Windows NT passwords and to notify users that their passwords are about to expire. This is done by using the IISADMPWD virtual server that installs as part of the default Web site. This feature is implemented as a set of .htr files located in the \System32\Inetsrv\Iisadmpwd directory and an ISAPI extension named Ism.dll.

You can configure a site to support password changes by setting the following properties on the site: PasswordCacheTTL, PasswordChangeFlags and PasswordExpirePrenotifyDays. Refer to the IIS documentation for more details on these properties.

To allow a user to change their password, provide a link in your Web page to the following location:

http://servername/IISADMPWD/aexp.htr

These properties can be set either through the MetaEdit tool that ships in the IIS 4.0 Resource Kit, or you can include the following sample script in ASP, Visual Basic, or the Windows Script Host: Dim IIsObj, vDay Set IIsObj = GetObject("IIS://LocalHost/W3SVC")

vDay = 10

Set new value IIsObj.PasswordExpirePrenotifyDays = vDay

'Save the changes back to the data store IIsObj.SetInfo Using the ADSI Interfaces provided by IIS:

ADSI allows access to many directory stores in addition to the IIS metabase, including Windows NT user accounts. If you use ADSI from ASP to access NT accounts, you must run an account that has administrator access to a domain controller. If your IIS server is not a domain controller, you have to establish a useable administrator security context. In this case, you cannot use the IIS 4.0 Windows Challenge/Response, you must use basic authentication or force your .asp script to run as an explicit administrator account. With IIS 5.0, you can use Windows Integrated Security as long as all your users are running Windows 2000 clients and your IIS server computer account is marked as trusted for delegation. The following is some sample code to create a new user account, , with the password, , in the group, , and domain, : ' General Constants strDomain ="" strUser ="" strGroup = ""

' Create new user with password Set oDomain = GetObject("WinNT://" & strDomain) Set oUser = oDomain.Create ("User", strUser) oUser.SetInfo oUser.SetPassword = "" Set oUser = nothing

' Add user to specific group Set oGroup = oDomain.GetObject("Group", strGroup) oGroup.Add ("WinNT://" & strDomain & "/" & strUser) oGroup.SetInfo Set oGroup = nothing Set oDomain = nothing

NOTE: On Windows NT 4.0, IIS installs a limited version of ADSI. This sample script only works on Windows NT 4.0 if you have installed the full version of namespace provider. For more documentation and a full version of ADSI, please see the following Web page:

http://www.microsoft.com/windows2000/techinfo/howitworks/activedirectory/adsilinks.asp

For additional information, please see the following article in the Microsoft Knowledge Base:

184058 Unable to Change Password Using the IIS 4.0 Change Password Feature

Keywords: kbhowto KB184619

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.