As promised, here's how to create a “reset password” button on the login desktop, so that users whom forgot their password, and therefore cannot log in, are still able to acces the password-reset website. For the actual password resetting we use the “Self Service Password Reset” free software by Ben "Plexer" Norcutt and Alex "Irazmus" Kitching wich can be found here:
this article only shows how to create a “reset password” button on the login desktop wich opens your password reset page once you set up “Self Service Password Reset”.
The most difficult part is getting something to show on the login desktop. Windows uses the concept of Windowstations and Desktops. The screen you see before anyone has logged in to the computer, called WinSta0\WinLogon, is a different desktop in a different Windowstation then the desktop you see after someone has logged in, called WinSta0\Default . These Desktops/Windowstations are completely separated and programs running in one desktop cannot access programs on another desktop.
Also, to run anything on the login desktop you need certain privileges (rights) which normaly only the SYSTEM account has.
Fortunately there is the utility RunProcess.exe by Frank P. Westlake which among many other cool things allows you to start a process on any windowstation/desktop if you have the appropriate privileges. You can download it here: http://www.jsifaq.com/SF/Tips/Tip.aspx?id=7127
Next, we need to create a windows service to run our program. Why? Firstly because we need the appropriate privileges and a service running under the system account has these. Secondly we want our program to start without anyone having to login. This is what services are for.
Since, like most programs that require user interaction, the actual program which will present the reset button does not support running as a service, we will create a “wrapper service” which will load our program. This is NSSM: The Non-Sucking Service Manager
Finally there’s the actual program which does nothing more than show a button which opens your password reset page in Internet explorer. It’s a simple compiled AutoIt script, source code included.
There are some security issues you should be aware of. This system runs Internet explorer under the SYSTEM account which has full administrative access to anything on your computer! Should a user be able to browse to a malicious site in this browser then the results might be disastrous. We need to limit what a user can do and where he can surf on the computer where this system runs.
First we will use Internet explorer’s content rating system to make your password reset website the only website users are allowed to visit. They cannot visit any other websites unless they know the Parental control password. (Default is “w3lk0m”). This is done by copying a ratings file (lockdown.rat) to the system directory and importing some registry entry’s from the file “pwreset.reg”
IMPORTANT: you must first edit the file pwreset.reg with notepad and replace any instance of “yourdomain.com” with the URL/domain of your choice
Secondly we need to disable all unwanted toolbars, buttons etc. in Internet explorer. You could use Group Policy to do this, or you could manually double click the file
ie-restrictions.reg which is just a sample of what you could do. The installer does not do this, it’s your choice.
Finally, as said above, this system runs Internet explorer under the SYSTEM account which has full administrative access. But we can take away these rights for just the Internet explorer without restricting the SYSTEM account (which would probably break your computer) by using Software restriction policy’s. To do this, enable SAFER technology by creating the following registry key:
Key: "Levels" (REG_DWORD)
Or just double click “safer.reg”
Then open the (local) Group Policy editor by typing “gpedit.msc” in Start/Run.
Under “Computer configuration” go to Windows settings/Security Settings/Software Restriction Policies/Security Levels. You should see 5 trust levels: Disallowed, Untrusted, Restricted, Basic user and Unrestricted.
Now go to Windows settings/Security Settings/Software Restriction Policies/Additional Rules, Right-click and create a new “Path Rule”, Enter the path to iexplore.exe for ie.
“C:\Program Files\Internet Explorer\iexplore.exe” And set the security level to Basic user, or Resticted if you want guest-level acces for IE. Now IE will ALWAYS run with limited rights, regardless which user executes it (even Administrator or SYSTEM)
To make setting all this up easier I have created install.cmd which does most of the work to install this. Only the restricting of IE’s user interface and the creation of a software restriction policy has to be done manually.
@boomam: No worries, no need to hurry on my account
@rvdmast: Cheers for that, I'll have a proper look at that tomorrow. Also, do you use that on all machines or just selected clients?
Right now, we use this only on one dedicated workstation in our library.
Mostly because we were still testing this, and, as you can see in my how-to it still requires some manual tweaking on each workstation.
Plus, we've published the SSPR on our ISA servers so they can also reset their password from home. So one dedicated workstation is really enough.
@rvdmast: Good point, but it shouldn't be too difficult to tag that setup on the end of BDD. I'll have a go when I have a few minutes.
And if anyone wants the 2.2.1 install screencast it's now up @ http://www.filefactory.com/file/9e8f3b/
Comments and criticisms are welcome.
RoyaMarie (5th November 2013)
Now that there's a new version of SSPR I've been thinking about a few things:
1 - I spent half a day translating all the texts in the ASP files to Dutch. When i install a new version I'd have to do that all over again. And something tells me this isn't the last version to come out
I'm no expert at ASP (yet, though i did read up & practice a bit) but would it be possible to use a language file like language.asp that you would #include which contains these texts for a specific language? I'm thinking this file could be just a bunch of string variables with the appropriate texts. Then in the .asp files you'd replace the texts that are currently there with the appropriate variable from language.asp...
So, if you want English texts you'd download & use the English language.asp, German user would use the German language.asp etc... These could of course be created and submitted here by users themselves.
2 - How difficult would it be to create an installer? I've seen other installers set up websites in IIS and configure them as required. And if i remember correctly one can import/export IIS settings. And something tells me one could probably do a lot with vbscript or something...
Just tryed it with the video guide.
Ive gotten a bit further now, now i can register, and it does show the questions on the reset screen correctly.
Problem now is that when it says enter new password, i enter it, then it errors with:
Error: unable to bind container
+ for future reference, is there a way to have this self contained in its own folder, rarther than the default system one, as if theres other apps that need to use that folder for installation/usage, conflicts will arise.
On another note, might be worht adding, at the top of the tree in IIS, i had t set 'default website', its IP and port to something less generic, in my case, 172.17.0.50 & 9000 for it to display the pages on remote machines.
Ive added the SSPR_servername user to those two security groups, and then proceeded to test again, nothing but HTTP500 errors now?
And removing them still makes the error happen.
Fixed the problem. I replaced the config.asp and the Db with the originals.
The 'Error: unable to bind container' error still happens though.
+ Whats the point in the two security groups ive had to create? I havnt had to specify them anywhere in of the configs?
Last edited by boomam; 25th January 2008 at 10:13 AM.
Booman: this can be run from a new website on your iis server doesn't have to be the default one.
I think I'll test it on my vm.
Regarding the install this is something I thought about this week and did post a question about it.
If we can find a free/open source tool that works well then yes it will be a setup file.
Wix apparently can do it.
Fair enough, i'll have a play having it on its own website when i redo the IIS in the summer.
Any idea on the error message?
boomam: do you have friendly errors turned on in internet explorer on the client you are using to test?
If so please turn them off and post the real error message.
The 500 error is an error from the server and was probably it not being able to connect to the database due to a misconfiguration of the DB location in config.asp.
Friendly errors don't display the real reason and can be turned of in your ie settings, tools, internet options, advanced.
The new username and groups are for the impersantion so that the website doesn't have to be run as a domain admin for all functions.
It uses the impersanation for the reset functionality.
Originally Posted by boomam
Those errors were fixed. Its just the bind container error now.
I understand the user, as thats needed for access to passwords.The new username and groups are for the impersantion so that the website doesn't have to be run as a domain admin for all functions.
It uses the impersanation for the reset functionality.
But the security groups: why are the needed?
The guide/video said set make them, so i did, then nothing else. They literally are just two security groups, with no special options, no special gpos, just two blank groups?
The 'Error: unable to bind to container' is caused when SSPR can not connect to Active Directory. This is most likely due to a problem with the FQDN specified in config.asp, the logon credentials in cred.ini, the IIS server's ability to find/contact a DC or insufficient access rights for the impersonation user.Originally Posted by boomam
Yes, easily. Simply setup a new website in IIS with a custom folder (I run my dev version from c:\SSPR) and substitute that folder for Inetpub in the instructions and config.aspOriginally Posted by boomam
The two security groups are for controlling who can reset passwords using the admin pages, and whose passwords they can reset. They have no bearing on the register, update or reset pages.Originally Posted by boomam
These groups are specified in resetGroup and usersGroup in config.asp, and are defaulted to SSPR_PasswordChangers and Students.
I'll update the screencast to make this clearer.
The login credentials are correct also.
The IIS can see the domain controller as well.
The impersonation user ive set as a staff user. Staff users can reset pupil passwords normally though MMC.
The annonymous security thing on the reset folder, does that need setting to the user i set up? Or leave at default?
So if i dont want admin access on it, as i'll just use AD myself, the program will work fine without them?The two security groups are for controlling who can reset passwords using the admin pages, and whose passwords they can reset. They have no bearing on the register, update or reset pages.
Last edited by boomam; 25th January 2008 at 02:46 PM.
There are currently 1 users browsing this thread. (0 members and 1 guests)