Many IIS users remember that we ship a small web application named IISADMPWD with older versions of IIS (for instance, IIS 5, and IIS 6). This application is actually a useful utility for domain users to change passwords. You may wonder why this application is useful when I can easily change my password via a simple Ctrl+Alt+Delete. So let's see an example,
IISADMPWD in Use
I am currently out of office and have to check a critical mail via OWA. However, I failed because I forgot to update my old password and now it expired. (Well, VPN may help a lot, but I just could not access that either.)
Well, my IT department kindly set up IISADMPWD in this case, so that I can enter such a page to change my password. Now OWA works and I can read the important mail. Cheers!
IISADMPWD Setup (for IIS 5/6)
You can learn about how to set up such a web application on IIS 5 and 6 by referring to the following KB articles,
Tony DeCock has a great article here to discuss various of problems you might come across here,
IISADMPWD on IIS 7
The IISADMPWD function is not included in IIS 7 any more. And thus the IISADMPWD directory is no longer there under a clean install of Windows Server 2008 . So except using VPN , is there a way to change my password in emergency? A small experiment reveals that we may use IISADMPWD if we have a copy of it from a Windows Server 2003 box and treat it as a ASP/COM application. The Workaround steps are attached for your reference.
The IISADMPWD function is not included in IIS 7 any more.
1. Copy the folder from Server 2003 box to Server 2008 box. In my case, I still use the path C:\Windows\system32\inetsrv\Iisadmpwd on Server 2008.
2. Register the IISpwchg.dll file in the Iisadmpwd directory:
1. Open an elevated command prompt.
2. In the Open box, type the following, and then press ENTER:
3. Configure the PasswordChangeFlags property in the metabase to make sure that the Password Change functionality is enabled:
1. open an elevated command prompt.
2. Locate the C:\Inetpub\Adminscripts directory (make sure that you have IIS 6 Scripting Tools feature turned on).
3. Type the following command, and then press ENTER:
cscript.exe adsutil.vbs set w3svc/passwordchangeflags Value
Note In this sample command, Value is a placeholder for the value that you want to set for the PasswordChangeFlags property.
4. The following list includes the possible values for the PasswordChangeFlags property. You can use a combination of these values.
· 0: This is the default value. This value indicates that you must use a Secure Sockets Layer (SSL) connection when you change the password.
· 1: This value permits password changes on non-secure ports. This value is useful if SSL is not enabled.
· 2: This value disables the Password Change functionality.
· 4: This value disables the advance notification of password expiration.
5. To create an application for the Iisadmpwd directory.
· Now open IIS Manager, and in the left panel right click on Default Web Site node.
· Choose Add Application. In this dialog, type an alias (I use IISADMPWD) and the path (C:\Windows\system32\inetsrv\Iisadmpwd). Then click Select... button to choose a suitable application pool. (Remember that you can refer to Tony's article for details.) Click OK twice and we are done.
Now you can access the password change page by navigating to http://<server>/iisadmpwd/aexp4b.asp (or https, which depends on your choice in step 4).
If you only owns a copy of x86 Server 2003 while the Server 2008 box you are using is x64, then the above steps need a few changes. First, you must copy the folder to %windir%\SysWOW64\inetsrv folder. This path will be used in following steps. At last this application must be running in a 32-bit application pool.
Hope this help.
NOTE: The IISADMPWD function is not included in IIS 7 any more. The situation that enabling IISADMPWD on IIS 7 is provided "AS IS" with no warranties, and confers no rights.
More official information about IISADMPWD support on IIS 7 is mentioned in this article,
Another update: ASP role service is not installed on Windows Server 2008 by default, but it is required by this workaround. Therefore, if you meet 404.3 errors navigating to those ASP pages, please go to Server Manager and install the ASP role service.
I believe the script to change the password flags needs to have THIS syntax:
I loke the aexp4b.asp site as it automatically inputs the domain. If I set passwordchangeflags to 0, as soon as I click OK after entering the password info, the site warns me that it will send the info unencrypted. Then, after clicking OK, I get a 403 Access Denied page.
If I use the aexp2.asp page, I have to enter the domain manually, but the entire process stays over SSL and I get no error. Any way to get this to work with aexp4b.asp?
Well, never mind. I used aexp2b.asp and it works great.
Do you have any ideas for the issue "object required" after we're submit the password change request? Thanks