Re: IISADMPWD solution for AD expired password ?

Thank you.

I am glad to hear that I am using the right method for my needs.

I have found a sample code on an msdn blog about the queries to find expiring passwords (but I will not forget to see what your book proposes too :))

If I have understood well what you said, it is not possible for a user to change his password if it expired ? (cause you said you develop a two factor auth for that need).

What I don't really like in "my" solution is that users will connect to the IISADMPWD on a DMZ zone. So I will need to allow network access from the IIS server in the DMZ to a DC in our LAN :-(

Thank you Joe :)

We do something very similar internally for users that are not domain joined and don't get the standard password expiration notification. We send out an email and direct them to a website that allows pwd change. We use custom functionality instead of IISADMPWD, but the basics are similar.

This is for password change though, not for self service password reset. Those are different use cases. If the user needs a password reset due to expiration or simply a forgotten pwd, then we send them to a different site. This site authenticates them using either two factor auth (SecurID token) or via challenge/response questions and then uses a privileged service account to perform the password reset like an administrator would.

We find we need both solutions.

There is also a sample in ch 10 of my book that shows some examples of executing queries to find expiring passwords in certain date ranges.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Pascal" <pascal_t@xxxxxxxxxxxxxxxxxx> wrote in message news:mn.6bbe7d7c88194d34.70874@xxxxxxxxxxxxxxxxxxxxx
Thank you Joe for those informations.
I will really appreciate if you can give me your point of vue about this situation (and if you can confirm that I have "the right solution").

We have an Active Directory domain with a web server hosting a web application used by internal users and Internation users. Those International users are connecting from various locations (no ADFS possible).

International users have accounts in our AD BUT they never open a session in this domain.(They are just using this login/password for accessing some ressource in our Active Directory)
Actually, we have to define a "Password never expires" option on each internation users accounts because of the password policy in use in our domain.

We want to find a way to let International users to reset their passwords every 90 days remotely.

For that, we want to send them an email 1 week before the expiration date of the password.
Then, the users will have to connect to a IIS Website with iisadmpwd installed.(through HTTPS and a commercial certificate).
They will then be able to change their passwords.

Do you think it is a good method ?

Thank you again for sharing your knowledge Joe :)

Regards


-- Pascal



--
Pascal


.