IISADMPWD: IIS 7 Authentication with “User must change password at next logon” Flag Set in Active Directory

We’re working with a customer to replace the Microsoft IISADMPWD tool the customer uses to allow Active Directory password changes in their hosted software offering. This tool, a legacy ASP application that runs on IIS 5 and 6, has been around for a while to allow AD password changes using OWA, Outlook Web Access. Beginning with IIS 7 on Windows Server 2008, support for IISADMPWD was dropped and users can now change passwords directly in OWA on Exchange 2007 and 2010 without IISADMPWD.

But what if you’re in a situation like our customer and you use IISADMPWD to change passwords in your Active Directory credentials store? There are several ways to port IISADMPWD to IIS 7 and Server 2008 but these are outside the context of Microsoft technical support. Plus, IISADMPWD does not work on IIS 7/7.5 when a user account has the “User must change password at next logon” flag set in Active Directory. Why?

As far as I can tell from experimenting in our test environment and searching the web, IIS 7 and later versions do not allow a user to access a site secured with Basic or Windows authentication if the “User must change password at next logon” flag is set in AD. IIS 7 was completely re-architected from previous versions and the “back door” ISAPI DLL access that previously allowed this feature has now been turned off since its primary reason to exist—resetting AD passwords for OWA—now is properly built into OWA.

There is a pretty simple workaround if you want to still use a tool like IISADMPWD. Web Active Directory provides several AD management tools that change passwords and we have a replacement for IISADMPWD that runs on IIS 7 and later. The tool uses Anonymous IIS authentication but you can pre-populate the username for changing a password using the URL query string or passing the username value in a custom HTTP header. Using Anonymous authentication allows the application to run without asking the user for credentials and all AD password changes are securely executed under a Windows service account security context.

2 thoughts on “IISADMPWD: IIS 7 Authentication with “User must change password at next logon” Flag Set in Active Directory

  1. Pingback: A Replacement for IISADMPWD in IIS 7 « Web Active Directory Blog

  2. Pingback: Web Active Directory Releases Replacement for Microsoft IISADMPWD for Windows IIS7 « Web Active Directory Blog

Comments are closed.