Windows Tips &amp Tricks UPDATE, April 26, 2004, —brought to you by the Windows &amp .NET Magazine Network and the Windows 2000 FAQ site
http://www.windows2000faq.com


This Issue Sponsored By

PowerPack from IBM: Evaluate IBM Software
http://www.ibm.com/vrm/software/powerpack/winnetmagtips

Postini Perimeter Manager
http://www.winnetmag.com/seminars/emailsecurity/


Sponsor: PowerPack from IBM: Evaluate IBM Software

Sign up for the PowerPack of your choice (based on your development role or software tools of interest), and we'll send you the latest IBM evaluation software on DVD at no charge. Choose from eight different PowerPack tracks depending on your interest area: .NET Developer, Java Platform Developer, Embedded Developer, Software Architect, Project Manager, Senior Decision Maker, Analyst, and Tester. Over the next three weeks, we'll also provide you with a customized collection of technical resources to help you evaluate IBM software development tools, including technical articles, demos, online tutorials, Webcasts, whitepapers, posters, and more. View what you want. Evaluate what you need. Explore your technical interests.
http://www.ibm.com/vrm/software/powerpack/winnetmagtips


FAQs

  • Q. Does Windows Server 2003 provide a way to let users change their passwords remotely on the Web?
  • Q. How can I create a Web page where users can change their passwords?
  • Q. How can I control access to the IISADMPWD virtual directory?
  • Q. How can I enable the RAS Dial-in tab on Windows XP computers that run Administration Tools?
  • Q. How can I create a default DNS entry?

Commentary
by John Savill, FAQ Editor, jsavill@winnetmag.com

This week, I tell you how to enable the Internet Information Services (IIS) 6.0 Web administration tools so you can provide a Web page where users can change their passwords, and I provide an Active Server Pages (ASP) script that you can use to create your own Web page for the same purpose. I also explain how to control access to the IISADMPWD virtual directory, how to enable the RAS Dial-in tab on Windows XP computers that run Administration Tools, and how to create a default DNS entry.


Sponsor: Postini Perimeter Manager

Learn from a real world case study given by one of your IT colleagues on how he reduced spam and viruses and improved his email security and productivity. You'll get the inside scoop on how Enterprise Rent-A-Car evaluated and selected a managed service solution to protect its email system. Then hear email expert Scott Petry describe the merits of the "preemptive" email security approach, as well as the latest trends in spam and virus attacks. Register today to learn more about choosing the right anti-spam solution for your organization.
http://www.winnetmag.com/seminars/emailsecurity/


FAQs

Q. Does Windows Server 2003 provide a way to let users change their passwords remotely on the Web?

A. The version of Internet Information Services (IIS) 6.0 that ships with Windows 2003 includes some Web-administration tools that are disabled by default. To enable the tools, perform the following steps:

  1. Start the Microsoft Management Console (MMC) IIS Management snap-in by clicking Start, Programs, Administrative Tools, Internet Information Server (IIS) Management.
  2. Navigate to Web Sites, Default Web Site.
  3. Right-click Default Web Site. Select New, then select Virtual Directory. You'll see the Virtual Directory Creation Wizard Welcome screen.
  4. Click Next.
  5. Enter an alias of IISADMPWD and click Next.
  6. For the actual publish folder value, enter C:\windows\system32\inetsrv\iisadmpwd (where C:\windows is the directory in which Windows is installed). Click Next.
  7. For virtual directory permissions, select the Read and Run scripts check box, if it isn't already selected. Click Next.
  8. Click Finish.

You can access the new interface at http:///iisadmpwd/aexp2.asp to change a local account password or at http:///iisadmpwd/aexp2b.asp to change a domain password. The figure at Figure 1 shows a sample Web interface for changing a domain password.

Q. How can I create a Web page where users can change their passwords?

A. You can write an Active Server Pages (ASP) script that creates a password-change Web page. ASP gives you complete access to Microsoft Active Directory Service Interfaces (ADSI), which lets you perform a variety of functions, such as changing passwords or creating accounts. When you write such a script, you must consider factors such as the user account under which the script will run and the permissions you want to use when the script runs. The basic ADSI command to change a user's password is

set usr = GetObject("LDAP://CN=John
Savill,CN=Users,DC=savilltech,DC=com")
usr.put "userPassword", NewPassword

The first line (shown as two lines because of space constraints) assigns a handle to user John Savill in domain savilltech.com. The next line puts the text NewPassword into the userPassword attribute.

I've written a short ASP script that prompts the user to enter a username and password (remember to change the domain from savilltech.com to your domain). The script, which is available at Code, is listed below.

 &lt%
strUserCN = request.form("cn")
strNewPassword = request.form("newpass")
strPassVerify = request.form("passverify")

if strUserCN="" then
    response.write "&lthtml&gt&lthead&gt&lttitle&gtChange Password&lt/title&gt&lt/head&gt&ltbody&gt"
    response.write "&ltcenter&gt&lth1&gtWeb Password Reset&lt/h1&gt&lt/center&gt"
    response.write "&lthr&gt&ltbr&gt&ltbr&gt&ltform method=post action=changepass.asp&gt&lttable&gt"
    response.write "&lttr&gt&lttd&gtCN: &lt/td&gt&lttd&gt&ltinput type=text name=cn&gt&lt/td&gt&lttr&gt"
    response.write "&lttr&gt&lttd&gtNew Password: &lt/td&gt&lttd&gt&ltinput type=password name=newpass&gt&lt/td&gt&lt/tr&gt"
    response.write "&lttr&gt&lttd&gtVerify Password: &lt/td&gt&lttd&gt&ltinput type=password name=passverify&gt&lt/td&gt&lt/tr&gt"
    response.write "&lttr&gt&lttd colspan=2 align=center&gt&ltinput type=submit value='Reset Password'&gt&lt/td&gt&lt/tr&gt"
    response.write "&lt/table&gt&lt/body&gt&lt/html&gt"
    response.end
else

if strNewPassword = strPassVerify then

set usr = GetObject("LDAP://CN=" & strUserCN & ",CN=Users,DC=savilltech,DC=com")

usr.put "userPassword", strNewPassword

response.write "&lthtml&gt&lthead&gt&lttitle&gtResults&lt/title&gt&lt/head&gt&ltcenter&gt&lth1&gtUpdate Results&lt/h1&gt&lt/center&gt&lthr&gt&ltbr&gt&ltbr&gt"
response.write strUserCN & ": password was successfully updated"
response.end

else

    response.write "&lthtml&gt&lthead&gt&lttitle&gtError!&lt/title&gt&lt/head&gt&ltbody&gt"
    response.write "&ltcenter&gt&lth1&gtAn Error Has Occurred!&lt/h1&gt&lt/center&gt"
    response.write "&lthr&gt&ltbr&gt&ltbr&gt"
    response.write "The password and confirmation do not match. Please go back and try again."
    response.end

end if
end if
%&gt

Windows Server 2003 provides its own Web pages for password changes, which I discuss in the FAQ "Does Windows Server 2003 provide a way to let users change their passwords remotely on the Web?". However, you might find the sample ASP script useful for creating password-change interfaces on your own Web pages or sites.

Q. How can I control access to the IISADMPWD virtual directory?

A. When you use the default IISADMPWD virtual directory to enable a Web page where users can change passwords, as I discussed in the FAQ "Does Windows Server 2003 provide a way to let users change their passwords remotely on the Web?", the Microsoft IIS server sends the user's password information unencrypted over the network, which creates a security risk. To avoid transmitting unencrypted passwords, you must enable Secure Sockets Layer (SSL) by following these steps:

  1. Start a command prompt by clicking Start, Run and typing cmd.exe
  2. Navigate to the C:\Inetpub\Adminscripts directory.
  3. At the command prompt, type adsutil.vbs set w3svc/1/PasswordChangeFlags 0 This command runs the adsutil.vbs script, which sets the password change option (specified by the PasswordChangeFlags value). The w3svc/1 parameter means the first default Web site; 0 means SSL is required. Setting the PasswordChangeFlags value to 1 specifies that SSL isn't used. (Setting the value to 2 disables the user's ability to change the password.)
  4. Restart the IIS server to effect the change.

Q. How can I enable the RAS Dial-in tab on Windows XP computers that run Administration Tools?

A. To enable the RAS Dial-in tab in the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in on an XP machine that runs the Administration Tools distribution package (Adminpak.msi), perform the following steps:

  1. Create a registry file called dialin.reg. To do this, open a new file in a text editor such as Notepad, copy and paste the following text in the file, and name it dialin.reg:
    Windows Registry Editor Version 5.00

    \[HKEY_CLASSES_ROOT\RasDialin.UserAdminExt\]
    @=""

    \[HKEY_CLASSES_ROOT\RasDialin.UserAdminExt\CLSID\]
    @="\{B52C1E50-1DD2-11D1-BC43-00C04FC31FD3\}"

    \[HKEY_CLASSES_ROOT\RasDialin.UserAdminExt.1\]
    @=""

    \[HKEY_CLASSES_ROOT\RasDialin.UserAdminExt.1\CLSID\]
    @="\{B52C1E50-1DD2-11D1-BC43-00C04FC31FD3\}"

    \[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\NodeTypes\\{19195a5b-6da0-11d0-afd3-00c04fd930c9\}\Extensions\NameSpace\]
    "\{B52C1E50-1DD2-11D1-BC43-00C04FC31FD3\}"="RAS Dialin - User Node Extension"
  2. Merge dialin.reg with your XP registry, or run the following command from the command prompt:  regedit /s dialin.reg
  3. Open a command prompt in XP and type the following commands, where ServerName is a Windows Server 2003 domain controller (DC) that has Adminpak.msi installed:
    cd /d %SystemRoot%\System32
    copy \\ServerName\Admin$\System32\mprsnap.dll *.*
    copy \\ServerName\Admin$\System32\rasuser.dll *.*
    copy \\ServerName\Admin$\System32\rtrfiltr.dll *.*
    regsvr32 rasuser.dll
  4. Click OK to acknowledge the registration of the rasuser library. Your remote XP system should now have the RAS Dial-in tab.

Thanks to reader Bob Kroeger for providing this tip in response to the FAQ, "I use the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in from a remote computer. I've noticed that certain Property tabs are missing. Can I restore the tabs?", at http://www.winnetmag.com, InstantDoc ID 42256.

Q. How can I create a default DNS entry?

A. If you want DNS to return a particular IP address when no host record exists for a queried address, create a host record with a name of "*" (an asterisk) and assign to the host record the IP address you want DNS to return as the default. One common use for a default DNS entry is when you have many different Web servers and you want a Web server to display a default page when a user incorrectly enters a server name.

Announcements
(from Windows &amp .NET Magazine and its partners)

  • Try a Sample Issue of Exchange & Outlook Administrator!

  • If you haven't seen Exchange & Outlook Administrator, you're missing out on key information that will go a long way towards preventing serious messaging problems and downtime. Request a sample issue today, and discover tools you won't find anywhere else to help you migrate, optimize, administer, and secure Exchange and Outlook. Order now!
    http://www.exchangeadmin.com/rd.cfm?code=fsep234xup

  • Discover the Basics of Active Directory Fundamentals

  • In this free Web seminar, we'll look at the logical concepts as they relate to domain, trees, and forests and the physical concepts of domain controllers and sites. We'll also explain the relationship between Active Directory and the Domain Naming Service, as well as cover some operation functions. Register now!
    http://msevents.microsoft.com/cui/eventdetail.aspx?eventid=1032246759&culture=en-us

    Events Central
    (A complete Web and live events directory brought to you by Windows & .NET Magazine: http://www.winnetmag.com/events )

  • Sign Up for 2 Great Roadshows About Security and Exchange

  • Don't miss 2 free roadshow tours covering hot security and Exchange topics. Learn how to simplify your life with Windows Server 2003 and Exchange Server 2003 and protect your infrastructure and applications against security threats. Coming to your city soon. Register now!
    http://www.winnetmag.com/roadshows

    Sponsored Links

  • Argent
    Comparison Paper: The Argent Guardian Easily Beats Out MOM

  • http://ad.doubleclick.net/clk;6480843;8214395;q?http://www.argent.com/products/download_whitepaper.cgi?product=mom&&Source=WNTTextLink

  • Microsoft(R) TechNet

  • Microsoft(R) TechNet Webcasts: essential guidance, industry experts
    http://ad.doubleclick.net/clk;7759917;8214395;c?http://www.microsoft.com/technet/community/webcasts/default.mspx

  • Microsoft Security

  • Knowledge Improves Security. Visit www.securitywhitepaper.com.
    http://ad.doubleclick.net/clk;7836244;8214395;r?http://ad.doubleclick.net/clk;7812558;9026172;o?http://www.securitywhitepaper.com/default.asp?id=wn5548

    Contact Us
    Here's how to reach us with your comments and questions:

    This weekly email newsletter is brought to you by Windows &amp .NET Magazine, the leading publication for Windows professionals who want to learn more and perform better. Subscribe today.
    http://www.winnetmag.com/sub.cfm?code=wswi201x1z

    Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters.
    http://www.winnetmag.net/email