Hello Evan, I think this I what you're after... Below is some code for changing (expired) passwords through a web form which I've written for our Intranet. It's dirty code, but it does the job... Note wrapping may have occurred when posting. ************************************ user = Request.Form("username") oldpass = Request.Form("passwordold") newpass1 = Request.Form("passwordnew1") Domain = "YOURDOMAIN" // Check if account is locked... Set oUser = GetObject("WinNT://"& Domain &"/"& user) if oUser.IsAccountLocked then Response.Write "<script language=""JavaScript"">window.alert('Your user account is locked due to at least x invalid login attempts.');</script>" Response.Redirect "/login.asp" Response.End end if // Set oUser = Nothing // Find LDAP path... Set oNet = CreateObject("Wscript.Network") Set oTrans = CreateObject("NameTranslate") oTrans.Init 1, Domain oTrans.Set 3, Domain &"\"& user sAdsPath = oTrans.Get(1) Set oNet = Nothing Set oTrans = Nothing // Response.Write "LDAP path: " & sAdsPath // Change password On Error Resume Next Dim dso Dim u set dso = getObject("LDAP:") Set u = dso.OpenDSObject("LDAP://"&; sAdsPath,Domain &"\adminuser","adminpass",ADS_SECURE_AUTHENTICATION) u.ChangePassword oldpass,newpass1 Set u = Nothing Set dso = Nothing If Err Then AdsiErr() Else Response.Write "Change successful..." Response.end End If Sub AdsiErr() Dim e e = Err.Number h = Hex(e) If h = "80005000" Then Response.write "An invalid ADSI pathname was passed. " Elseif h = "1A8" Then ServerName = Request.ServerVariables("SERVER_NAME") Response.write "<font color=red><b>The web server " & ServerName & " does not have permission to change passwords using HTML mode. In order to be granted this permission, the web server must be a domain controller in the " & domain & " domain or this .asp script must be served by a domain admin account instead of the IUSR_<I>MachineName</I> account.</b></font>" Response.Write "<br><br><a href='JavaScript:history.go(-1);'><b>Click here to try again...</b></a></font>" Elseif h = "800041E4" Then Response.write "<font color=red><b>Username not found." Response.Write "<br><br><a href='JavaScript:history.go(-1);'><b>Click here to try again...</b></a></font>" Elseif h = "8007052F" Then Response.write "<font color=red><b>Your password could not be changed. Each password must be used for at least x days.</A></b></font>" Response.Write "<br><br><a href='/login.asp'><b>Click here to go back to the login page...</b></a></font>" Elseif h = "80070056" Then Response.write "<font color=red><b>The username or old password is incorrect. <P> <A HREF=chgpass.asp?username=" & user &">Please try again.</A></b></font>" Elseif h = "800708C5" Then Response.write "<font color=red><b>The new password does not meet the password policies. The password may be too short or you have already used this password recently. <P> <A HREF=chgpass.asp?username=" & user & ">Please try again.</A></b></font>" Else Response.write "<font color=red><b>Unable to change password. Debugging information:<P>" Response.write "Unexpected Error " & e & " (" & Hex(e) & ")" Response.Write "<br><br><a href='JavaScript:history.go(-1);'><b>Click here to try again...</b></a></b></font>" End If End Sub ************************************ Be aware that you'll have to run the .asp page under a domain account that has specific permissions in Active Directory to make password changes. You can alter this via the IIS MMC console. Kind regards, Frederic -----Original Message----- From: Evan Mann [mailto:emann@xxxxxxxxxxxxxxxxxxxxx] Sent: donderdag 11 maart 2004 1:05 To: thin@xxxxxxxxxxxxx Subject: [THIN] OT: Changing NT password through an SSL website Hoping someone has seen someone do this or know of a way to do this. A large number of my users are not connected to the domain. This makes it difficult to enable GPO's for expiring passwords every 90 days because their ONLY interaction with something that can talk to the domain is via website that require auth (NT Auth). What I ideally want is to be able to set the password age in the GPO and every time they auth to the website, it will check to see if that parameter has been met, and if so, prompt them to change their password, and then let them into the website. If this cannot be done, my next step would be to manually set the "user must change password and net logon" field and have something that checks against this field every time they try to auth to a website. This would be done via SSL so there are no plain text passwords. It would obviously have to be some kind of applications/ISAPI/ASP/whatever that runs as the actual auth, instead of relying on the IIS auth. I'm just not sure if something exists,or can be coded to do this. ******************************************************** This weeks sponsor Emergent Online. Emergent OnLine is the leading server-based computing consulting integration firm in the nation. Emergent OnLine delivers expert consulting services you can depend on. http://www.go-eol.com ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm ******************************************************** This weeks sponsor Emergent Online. Emergent OnLine is the leading server-based computing consulting integration firm in the nation. Emergent OnLine delivers expert consulting services you can depend on. http://www.go-eol.com ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm