How to Change Windows NT Account Passwords Using Internet Information Server (IIS) 4.0

ID: Q184619

The information in this article applies to:

Microsoft Internet Information Server version 4.0

SUMMARY

This article describes how to configure Internet Information Server (IIS) so that users can change their Windows NT passwords.

NOTE: Changing a password over the Internet is a potential security risk.

MORE INFORMATION

To configure IIS so users can change their Windows NT passwords, you can use either the IISADMPWD virtual directory or the Microsoft Active Directory Service Interfaces (ADSI) provided with IIS.

Using the built-in support:

IIS 4.0 ships with the ability to allow users to change their Windows NT passwords and to notify users that their passwords are about to expire. This is done by using the IISADMPWD virtual server that installs as part of the default Web site. This feature is implemented as a set of .htr files located in the <System>\System32\Inetsrv\Iisadmpwd directory and an ISAPI extension named Ism.dll.

You can configure a site to support password changes by setting the following properties on the site: PasswordCacheTTL, PasswordChangeFlags and PasswordExpirePrenotifyDays. Refer to the IIS documentation for more details on these properties.

To allow a user to change their password, provide a link in your Web page to the following location:

http://servername/IISADMPWD/aexp.htr

These properties can be set either through the MetaEdit tool that ships in the IIS 4.0 Resource Kit, or you can include the following sample script in ASP, Visual Basic, or the Windows Script Host:


   Dim IIsObj, vDay
   Set IIsObj = GetObject("IIS://LocalHost/W3SVC")

   vDay = 10

   Set new value
   IIsObj.PasswordExpirePrenotifyDays = vDay

   'Save the changes back to the data store
   IIsObj.SetInfo

For additional information, please see the following article in the Microsoft Knowledge Base:

Q184665 : ADSI Calls From ASP Fail With (0x800401e4) or Invalid Syntax

Using the ADSI Interfaces provided by IIS:

IIS supports ADSI, which allows access to many directory stores including Windows NT user accounts. To use the ADSI functions from ASP, you must have administrator privileges. If the server is configured to use Anonymous Access, then the server will fail.

The following is some sample code to create a new user account, <USERNAME>, with the password, <PASSWORD>, in the group, <GROUP>, and domain, <DOMAIN>:


   ' General Constants
   strDomain ="<DOMAIN>"
   strUser ="<USERNAME>"
   strGroup = "<GROUP>"

   ' Create new user with password
   Set oDomain = GetObject("WinNT://" & strDomain)
   Set oUser = oDomain.Create ("User", strUser)
   oUser.Password = "<PASSWORD>"
   oUser.SetInfo

   ' Add user to specific group
   Set oGroup = oDomain.GetObject("Group", strGroup)
   oGroup.Add ("WinNT://" & strDomain & "/" & strUser)

NOTE: This sample script only works if you have installed the "winnt://" namespace provider. By default, this is not on a typical Windows NT 4.0 computer. You can, however, install the "winnt://" namespace provider by installing the Adsi 2.0 runtime available at:

http://www.microsoft.com/ntserver/nts/downloads/other/ADSI2/default.asp

For additional information, please see the following article in the Microsoft Knowledge Base:

Q184058 : Password Change Fails Using the IIS 4.0 Change Password Feature

Additional query words:


Keywords          : 
Version           : winnt:4.0
Platform          : winnt 
Issue type        : kbhowto

Last Reviewed: July 13, 1999