create a “reset password” button on the login desktop
As promised, here's how to create a “reset password” button on the login desktop, so that users whom forgot their password, and therefore cannot log in, are still able to acces the password-reset website. For the actual password resetting we use the “Self Service Password Reset” free software by Ben "Plexer" Norcutt and Alex "Irazmus" Kitching wich can be found here:
this article only shows how to create a “reset password” button on the login desktop wich opens your password reset page once you set up “Self Service Password Reset”.
The most difficult part is getting something to show on the login desktop. Windows uses the concept of Windowstations and Desktops. The screen you see before anyone has logged in to the computer, called WinSta0\WinLogon, is a different desktop in a different Windowstation then the desktop you see after someone has logged in, called WinSta0\Default . These Desktops/Windowstations are completely separated and programs running in one desktop cannot access programs on another desktop.
Also, to run anything on the login desktop you need certain privileges (rights) which normaly only the SYSTEM account has.
Fortunately there is the utility RunProcess.exe by Frank P. Westlake which among many other cool things allows you to start a process on any windowstation/desktop if you have the appropriate privileges. You can download it here: http://www.jsifaq.com/SF/Tips/Tip.aspx?id=7127
Next, we need to create a windows service to run our program. Why? Firstly because we need the appropriate privileges and a service running under the system account has these. Secondly we want our program to start without anyone having to login. This is what services are for.
Since, like most programs that require user interaction, the actual program which will present the reset button does not support running as a service, we will create a “wrapper service” which will load our program. This is NSSM: The Non-Sucking Service Manager
Finally there’s the actual program which does nothing more than show a button which opens your password reset page in Internet explorer. It’s a simple compiled AutoIt script, source code included.
There are some security issues you should be aware of. This system runs Internet explorer under the SYSTEM account which has full administrative access to anything on your computer! Should a user be able to browse to a malicious site in this browser then the results might be disastrous. We need to limit what a user can do and where he can surf on the computer where this system runs.
First we will use Internet explorer’s content rating system to make your password reset website the only website users are allowed to visit. They cannot visit any other websites unless they know the Parental control password. (Default is “w3lk0m”). This is done by copying a ratings file (lockdown.rat) to the system directory and importing some registry entry’s from the file “pwreset.reg”
IMPORTANT: you must first edit the file pwreset.reg with notepad and replace any instance of “yourdomain.com” with the URL/domain of your choice
Secondly we need to disable all unwanted toolbars, buttons etc. in Internet explorer. You could use Group Policy to do this, or you could manually double click the file
ie-restrictions.reg which is just a sample of what you could do. The installer does not do this, it’s your choice.
Finally, as said above, this system runs Internet explorer under the SYSTEM account which has full administrative access. But we can take away these rights for just the Internet explorer without restricting the SYSTEM account (which would probably break your computer) by using Software restriction policy’s. To do this, enable SAFER technology by creating the following registry key:
Key: "Levels" (REG_DWORD)
Or just double click “safer.reg”
Then open the (local) Group Policy editor by typing “gpedit.msc” in Start/Run.
Under “Computer configuration” go to Windows settings/Security Settings/Software Restriction Policies/Security Levels. You should see 5 trust levels: Disallowed, Untrusted, Restricted, Basic user and Unrestricted.
Now go to Windows settings/Security Settings/Software Restriction Policies/Additional Rules, Right-click and create a new “Path Rule”, Enter the path to iexplore.exe for ie.
“C:\Program Files\Internet Explorer\iexplore.exe” And set the security level to Basic user, or Resticted if you want guest-level acces for IE. Now IE will ALWAYS run with limited rights, regardless which user executes it (even Administrator or SYSTEM)
To make setting all this up easier I have created install.cmd which does most of the work to install this. Only the restricting of IE’s user interface and the creation of a software restriction policy has to be done manually.