Changing password from web

From: Kim Christiansen (kcn@carlbro.com)
Date: 11/28/01 

Message-Id: <01Nov28.112145cet.119055@gateway1.carlbro.dk>
From: Kim Christiansen <kcn@carlbro.com>
To: focus-ms@securityfocus.com
Subject: Changing password from web
Date:  Wed, 28 Nov 2001 11:21:45 +0100

Hi

I have a standalone w2k server w/ SP2 and relevant hotfixes.

My problem is that I want users to change their password via a
webapplication. I have choosen (well...rather dictated) to use the Persist
ASPUser component and no problems there, it all works until I apply our
webserver security template.

Somewhere or somehow the users are not allowed to change their password. I
have tried to give them log on locally, log on as batch job, log on from
network, made them members of Administratorss but nothing works I'm just
told that the privilege is not held by the client.

I tried to search on Technet and I found a couple of articles that told me
to allow the Everyone builtin group to change password but the articles only
apply to active directory and don't show how to change this on a standalone
server

Well as written above it's most likely the security template that causes the
problem but I haven't been able to locate which setting that causes the
problem.

Please share some insight on where I can change this behavier or tell me
which entry in in the template that is the problem.

Thanks
k|m

Here's the template:
START+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[System Access]
MinimumPasswordAge = 1
MaximumPasswordAge = -1
MinimumPasswordLength = 5
PasswordComplexity = 0
PasswordHistorySize = 5
LockoutBadCount = 5
ResetLockoutCount = 30
LockoutDuration = 30
ClearTextPassword = 0
[System Log]
MaximumLogSize = 512
AuditLogRetentionPeriod = 0
RetentionDays = 7
RestrictGuestAccess = 1
[Security Log]
MaximumLogSize = 512
AuditLogRetentionPeriod = 0
RetentionDays = 7
RestrictGuestAccess = 1
[Application Log]
MaximumLogSize = 512
AuditLogRetentionPeriod = 0
RetentionDays = 7
RestrictGuestAccess = 1
[Event Audit]
AuditSystemEvents = 3
AuditLogonEvents = 3
AuditObjectAccess = 2
AuditPrivilegeUse = 3
AuditPolicyChange = 3
AuditAccountManage = 3
AuditProcessTracking = 0
AuditDSAccess = 0
AuditAccountLogon = 3
CrashOnAuditFull = 0
[Profile Description]
Description=Webserver with basic security configuration
[Registry Values]
machine\system\currentcontrolset\control\print\providers\lanman print
services\servers\addprinterdrivers=4,1
machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel=4,0
machine\software\microsoft\windows\currentversion\policies\system\shutdownwi
thoutlogon=4,0
machine\software\microsoft\windows\currentversion\policies\system\dontdispla
ylastusername=4,0
machine\software\microsoft\windowsnt\currentversion\winlogon\allocatedasd=1,
0
MACHINE\SOFTWARE\Policies\Microsoft\WindowsNT\Printers\DisableWebPrinting=4,
1
[Privilege Rights]
sebackupprivilege = *S-1-5-32-544
secreatepagefileprivilege = *S-1-5-32-544
sedebugprivilege = *S-1-5-32-544
seremoteshutdownprivilege = *S-1-5-32-544
serestoreprivilege = *S-1-5-32-544
sesecurityprivilege = *S-1-5-32-544
sesystemprofileprivilege = *S-1-5-32-544
sesystemtimeprivilege = *S-1-5-32-544
setakeownershipprivilege = *S-1-5-32-544
setcbprivilege = SYSTEM
[Service General Setting]
1="cisvc", 4,
"D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCS
WLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO
;;;WD)"
2="dhcp", 4,
"D:(A;;CCLCSWLOCRRC;;;IU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPW
PDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
3="fax", 4,
"D:(A;;CCLCSWLOCRRC;;;IU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPW
PDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
4="licenseservice", 4,
"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCW
DWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(
AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
5="lmhosts", 4,
"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCW
DWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(
AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
6="mnmsrvc", 4,
"D:(A;;CCLCSWLOCRRC;;;IU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPW
PDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
7="ntmssvc", 4,
"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCW
DWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(
AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
8="remoteregistry", 4,
"D:(A;;CCLCSWLOCRRC;;;IU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPW
PDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
9="scarddrv", 4,
"D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCS
WLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO
;;;WD)"
a="scardsvr", 4,
"D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;CO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(
A;;CCLCSWRPLORC;;;WD)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
b="seclogon", 4,
"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCW
DWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(
AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
c="sharedaccess", 4,
"D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCS
WLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO
;;;WD)"
d="smtpsvc", 4,
"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCW
DWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(
AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
e="spooler", 3,
"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCW
DWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(
AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
f="tapisrv", 4,
"D:(A;;CCLCSWLOCRRC;;;IU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPW
PDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"