+ Post New Thread
Page 7 of 19 FirstFirst ... 3456789101117 ... LastLast
Results 91 to 105 of 274
EduGeek Self Service Password Reset Thread, Self Service Password Reset in Projects:; ...
  1. #91

    Join Date
    Sep 2007
    Posts
    90
    Thank Post
    7
    Thanked 32 Times in 17 Posts
    Rep Power
    20

    create a “reset password” button on the login desktop

    As promised, here's how to create a “reset password” button on the login desktop, so that users whom forgot their password, and therefore cannot log in, are still able to acces the password-reset website. For the actual password resetting we use the “Self Service Password Reset” free software by Ben "Plexer" Norcutt and Alex "Irazmus" Kitching wich can be found here:
    http://edugeek.net/forums/showthread.php?t=2022&page=8
    this article only shows how to create a “reset password” button on the login desktop wich opens your password reset page once you set up “Self Service Password Reset”.


    The most difficult part is getting something to show on the login desktop. Windows uses the concept of Windowstations and Desktops. The screen you see before anyone has logged in to the computer, called WinSta0\WinLogon, is a different desktop in a different Windowstation then the desktop you see after someone has logged in, called WinSta0\Default . These Desktops/Windowstations are completely separated and programs running in one desktop cannot access programs on another desktop.
    Also, to run anything on the login desktop you need certain privileges (rights) which normaly only the SYSTEM account has.

    Fortunately there is the utility RunProcess.exe by Frank P. Westlake which among many other cool things allows you to start a process on any windowstation/desktop if you have the appropriate privileges. You can download it here: http://www.jsifaq.com/SF/Tips/Tip.aspx?id=7127

    Next, we need to create a windows service to run our program. Why? Firstly because we need the appropriate privileges and a service running under the system account has these. Secondly we want our program to start without anyone having to login. This is what services are for.
    Since, like most programs that require user interaction, the actual program which will present the reset button does not support running as a service, we will create a “wrapper service” which will load our program. This is NSSM: The Non-Sucking Service Manager
    http://iain.cx/src/nssm/

    Finally there’s the actual program which does nothing more than show a button which opens your password reset page in Internet explorer. It’s a simple compiled AutoIt script, source code included.

    There are some security issues you should be aware of. This system runs Internet explorer under the SYSTEM account which has full administrative access to anything on your computer! Should a user be able to browse to a malicious site in this browser then the results might be disastrous. We need to limit what a user can do and where he can surf on the computer where this system runs.

    First we will use Internet explorer’s content rating system to make your password reset website the only website users are allowed to visit. They cannot visit any other websites unless they know the Parental control password. (Default is “w3lk0m”). This is done by copying a ratings file (lockdown.rat) to the system directory and importing some registry entry’s from the file “pwreset.reg”
    IMPORTANT: you must first edit the file pwreset.reg with notepad and replace any instance of “yourdomain.com” with the URL/domain of your choice
    Secondly we need to disable all unwanted toolbars, buttons etc. in Internet explorer. You could use Group Policy to do this, or you could manually double click the file
    ie-restrictions.reg which is just a sample of what you could do. The installer does not do this, it’s your choice.
    Finally, as said above, this system runs Internet explorer under the SYSTEM account which has full administrative access. But we can take away these rights for just the Internet explorer without restricting the SYSTEM account (which would probably break your computer) by using Software restriction policy’s. To do this, enable SAFER technology by creating the following registry key:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows\Safer\CodeIdentifiers]
    Key: "Levels" (REG_DWORD)
    Value: 00031000
    Or just double click “safer.reg”
    Then open the (local) Group Policy editor by typing “gpedit.msc” in Start/Run.
    Under “Computer configuration” go to Windows settings/Security Settings/Software Restriction Policies/Security Levels. You should see 5 trust levels: Disallowed, Untrusted, Restricted, Basic user and Unrestricted.
    Now go to Windows settings/Security Settings/Software Restriction Policies/Additional Rules, Right-click and create a new “Path Rule”, Enter the path to iexplore.exe for ie.
    “C:\Program Files\Internet Explorer\iexplore.exe” And set the security level to Basic user, or Resticted if you want guest-level acces for IE. Now IE will ALWAYS run with limited rights, regardless which user executes it (even Administrator or SYSTEM)

    To make setting all this up easier I have created install.cmd which does most of the work to install this. Only the restricting of IE’s user interface and the creation of a software restriction policy has to be done manually.
    Attached Files Attached Files

  2. 4 Thanks to rvdmast:

    Freedom (29th January 2008), Irazmus (24th January 2008), plexer (25th January 2008), RoyaMarie (5th November 2013)

  3. #92
    Irazmus's Avatar
    Join Date
    Feb 2006
    Location
    Suffolk
    Posts
    316
    Thank Post
    13
    Thanked 22 Times in 17 Posts
    Rep Power
    23
    @boomam: No worries, no need to hurry on my account

    @rvdmast: Cheers for that, I'll have a proper look at that tomorrow. Also, do you use that on all machines or just selected clients?

  4. #93

    Join Date
    Sep 2007
    Posts
    90
    Thank Post
    7
    Thanked 32 Times in 17 Posts
    Rep Power
    20
    Right now, we use this only on one dedicated workstation in our library.
    Mostly because we were still testing this, and, as you can see in my how-to it still requires some manual tweaking on each workstation.
    Plus, we've published the SSPR on our ISA servers so they can also reset their password from home. So one dedicated workstation is really enough.

  5. #94
    Irazmus's Avatar
    Join Date
    Feb 2006
    Location
    Suffolk
    Posts
    316
    Thank Post
    13
    Thanked 22 Times in 17 Posts
    Rep Power
    23
    @rvdmast: Good point, but it shouldn't be too difficult to tag that setup on the end of BDD. I'll have a go when I have a few minutes.

    And if anyone wants the 2.2.1 install screencast it's now up @ http://www.filefactory.com/file/9e8f3b/
    Comments and criticisms are welcome.

  6. Thanks to Irazmus from:

    RoyaMarie (5th November 2013)

  7. #95

    Join Date
    Sep 2007
    Posts
    90
    Thank Post
    7
    Thanked 32 Times in 17 Posts
    Rep Power
    20

    suggestions

    Now that there's a new version of SSPR I've been thinking about a few things:
    1 - I spent half a day translating all the texts in the ASP files to Dutch. When i install a new version I'd have to do that all over again. And something tells me this isn't the last version to come out
    I'm no expert at ASP (yet, though i did read up & practice a bit) but would it be possible to use a language file like language.asp that you would #include which contains these texts for a specific language? I'm thinking this file could be just a bunch of string variables with the appropriate texts. Then in the .asp files you'd replace the texts that are currently there with the appropriate variable from language.asp...
    So, if you want English texts you'd download & use the English language.asp, German user would use the German language.asp etc... These could of course be created and submitted here by users themselves.

    2 - How difficult would it be to create an installer? I've seen other installers set up websites in IIS and configure them as required. And if i remember correctly one can import/export IIS settings. And something tells me one could probably do a lot with vbscript or something...

  8. #96

    Join Date
    Nov 2007
    Posts
    554
    Thank Post
    3
    Thanked 3 Times in 3 Posts
    Rep Power
    15
    Just tryed it with the video guide.
    Ive gotten a bit further now, now i can register, and it does show the questions on the reset screen correctly.
    Problem now is that when it says enter new password, i enter it, then it errors with:

    Error: unable to bind container


    Ideas?


    + for future reference, is there a way to have this self contained in its own folder, rarther than the default system one, as if theres other apps that need to use that folder for installation/usage, conflicts will arise.


    On another note, might be worht adding, at the top of the tree in IIS, i had t set 'default website', its IP and port to something less generic, in my case, 172.17.0.50 & 9000 for it to display the pages on remote machines.

    .

  9. #97

    Join Date
    Nov 2007
    Posts
    554
    Thank Post
    3
    Thanked 3 Times in 3 Posts
    Rep Power
    15
    Odd.
    Ive added the SSPR_servername user to those two security groups, and then proceeded to test again, nothing but HTTP500 errors now?
    And removing them still makes the error happen.

    ##EDIT##
    Fixed the problem. I replaced the config.asp and the Db with the originals.

    The 'Error: unable to bind container' error still happens though.

    + Whats the point in the two security groups ive had to create? I havnt had to specify them anywhere in of the configs?
    Last edited by boomam; 25th January 2008 at 10:13 AM.

  10. #98

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,258
    Thank Post
    671
    Thanked 1,644 Times in 1,466 Posts
    Rep Power
    424
    Booman: this can be run from a new website on your iis server doesn't have to be the default one.

    I think I'll test it on my vm.

    Regarding the install this is something I thought about this week and did post a question about it.

    If we can find a free/open source tool that works well then yes it will be a setup file.

    Wix apparently can do it.

    Ben

  11. #99

    Join Date
    Nov 2007
    Posts
    554
    Thank Post
    3
    Thanked 3 Times in 3 Posts
    Rep Power
    15
    Fair enough, i'll have a play having it on its own website when i redo the IIS in the summer.

    Any idea on the error message?

    Thanks.
    .

  12. #100

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,258
    Thank Post
    671
    Thanked 1,644 Times in 1,466 Posts
    Rep Power
    424
    boomam: do you have friendly errors turned on in internet explorer on the client you are using to test?

    If so please turn them off and post the real error message.

    Ben

  13. #101

    Join Date
    Nov 2007
    Posts
    554
    Thank Post
    3
    Thanked 3 Times in 3 Posts
    Rep Power
    15
    Quote Originally Posted by plexer View Post
    boomam: do you have friendly errors turned on in internet explorer on the client you are using to test?

    If so please turn them off and post the real error message.

    Ben
    Friendly errors?
    Its not an error that IE generates, like a generic HTTP one.
    Its one that is part of the page that looks identical to the rest of SSPR.

  14. #102

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,258
    Thank Post
    671
    Thanked 1,644 Times in 1,466 Posts
    Rep Power
    424
    The 500 error is an error from the server and was probably it not being able to connect to the database due to a misconfiguration of the DB location in config.asp.

    Friendly errors don't display the real reason and can be turned of in your ie settings, tools, internet options, advanced.

    The new username and groups are for the impersantion so that the website doesn't have to be run as a domain admin for all functions.

    It uses the impersanation for the reset functionality.

    Ben

  15. #103

    Join Date
    Nov 2007
    Posts
    554
    Thank Post
    3
    Thanked 3 Times in 3 Posts
    Rep Power
    15
    Quote Originally Posted by plexer View Post
    The 500 error is an error from the server and was probably it not being able to connect to the database due to a misconfiguration of the DB location in config.asp.
    Quote Originally Posted by boomam
    ##EDIT##
    Fixed the problem. I replaced the config.asp and the Db with the originals.

    The 'Error: unable to bind container' error still happens though.


    Those errors were fixed. Its just the bind container error now.

    The new username and groups are for the impersantion so that the website doesn't have to be run as a domain admin for all functions.

    It uses the impersanation for the reset functionality.

    Ben
    I understand the user, as thats needed for access to passwords.
    But the security groups: why are the needed?
    The guide/video said set make them, so i did, then nothing else. They literally are just two security groups, with no special options, no special gpos, just two blank groups?

  16. #104
    Irazmus's Avatar
    Join Date
    Feb 2006
    Location
    Suffolk
    Posts
    316
    Thank Post
    13
    Thanked 22 Times in 17 Posts
    Rep Power
    23
    Quote Originally Posted by boomam
    Error: unable to bind container
    The 'Error: unable to bind to container' is caused when SSPR can not connect to Active Directory. This is most likely due to a problem with the FQDN specified in config.asp, the logon credentials in cred.ini, the IIS server's ability to find/contact a DC or insufficient access rights for the impersonation user.

    Quote Originally Posted by boomam
    is there a way to have this self contained in its own folder
    Yes, easily. Simply setup a new website in IIS with a custom folder (I run my dev version from c:\SSPR) and substitute that folder for Inetpub in the instructions and config.asp

    Quote Originally Posted by boomam
    Whats the point in the two security groups ive had to create?
    The two security groups are for controlling who can reset passwords using the admin pages, and whose passwords they can reset. They have no bearing on the register, update or reset pages.

    These groups are specified in resetGroup and usersGroup in config.asp, and are defaulted to SSPR_PasswordChangers and Students.
    I'll update the screencast to make this clearer.

  17. #105

    Join Date
    Nov 2007
    Posts
    554
    Thank Post
    3
    Thanked 3 Times in 3 Posts
    Rep Power
    15
    Quote Originally Posted by Irazmus View Post
    The 'Error: unable to bind to container' is caused when SSPR can not connect to Active Directory. This is most likely due to a problem with the FQDN specified in config.asp, the logon credentials in cred.ini, the IIS server's ability to find/contact a DC or insufficient access rights for the impersonation user.
    Ive checked the FQDN, it is set correctly.
    The login credentials are correct also.
    The IIS can see the domain controller as well.
    The impersonation user ive set as a staff user. Staff users can reset pupil passwords normally though MMC.

    The annonymous security thing on the reset folder, does that need setting to the user i set up? Or leave at default?


    The two security groups are for controlling who can reset passwords using the admin pages, and whose passwords they can reset. They have no bearing on the register, update or reset pages.
    So if i dont want admin access on it, as i'll just use AD myself, the program will work fine without them?
    Last edited by boomam; 25th January 2008 at 02:46 PM.

SHARE:
+ Post New Thread
Page 7 of 19 FirstFirst ... 3456789101117 ... LastLast

Similar Threads

  1. Password Reset form for ICT staff
    By Rozzer in forum Windows
    Replies: 21
    Last Post: 30th January 2013, 10:01 AM
  2. apc powerchute buisness ed reset password
    By russdev in forum Windows
    Replies: 7
    Last Post: 8th November 2011, 12:35 PM
  3. bulk password reset
    By Jonny_sims in forum Windows
    Replies: 10
    Last Post: 26th September 2011, 10:12 PM
  4. Cisco Switch Password Reset
    By FN-GM in forum Wireless Networks
    Replies: 6
    Last Post: 10th October 2007, 09:15 AM
  5. Need to reset a local account's password
    By timbo343 in forum Scripts
    Replies: 1
    Last Post: 21st September 2007, 01:16 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •