Site icon Franky's Web

Active Directory: Password change via website

Frank Zöchling

Foreword

The following article describes a way for Active Directory users to change their password on a website. The Windows feature "Web Access for Remote Desktop" is somewhat misused for this purpose. A complete installation and configuration of the Remote Desktop services is not required for this.

Note: The method described here is only suitable for changing the known Active Directory password. It is not possible to reset a forgotten password.

The password change via website is interesting for users who work on computers that are not members of the Active Directory.

Preparation

An installed server with Windows Server 2016 or Windows Server 2012 R2 is sufficient as preparation. The server must be a member of the Active Directory and have the latest Windows updates.

Installation Web Access for Remote Desktop

The "Remote Desktop Services" role can now be added to the prepared server via Server Manager:

No specific features need to be added. The corresponding dependencies are installed automatically. You can therefore simply click on "Next" here:

Only "Web Access for Remote Desktop" is required as a role service:

All dependencies for the "Web Access for Remote Desktop" role service are now added at this point:

The role services for the IIS web server can also be left as they are:

After the summary, the roles can be installed:

As soon as the roles are installed, the configuration can begin.

Configuration

To make it easier to remember the URL for password changes later, an alias is first created for the server in the DNS. As an example, I have chosen the alias "password" and let it point to the server:

In the IIS Manager on the server, there is now the "RDWeb" application under the "Default Web Site", below which is the "Pages" application. The "Pages" application is selected and the "Application settings" are opened:

In the application settings, the "PasswordChangeEnabled" setting must now be changed to the value "true":

The password change can now be tested. The password change portal can be accessed at the following URL:

or in my case (as entered in the DNS):

 

The page now looks as follows:

However, as the URL is still quite cumbersome, a redirection from the default web site is set up. To do this, the "Default Web Site" is selected in the IIS Manager and "HTTP redirection" is selected:

The URL of the portal is now entered as the destination and the following settings are selected:

Important: Do not enter the "localhost" url as the redirection destination! In my case, the redirection destination is https://password.ad.frankysweb.com/RDWeb/Pages/de-DE/password.aspx.

The redirection ensures that calls for https://password.ad.frankysweb.com are forwarded to the password portal:

Users can now simply call up the corresponding URL with their browser (https://password.ad.frankysweb.com) and change their password. However, the page still looks a little strange for a password change portal. With a few adjustments, however, this can also be fixed.

Adjustments

With a few small adjustments, the page looks more like a portal to password change. I have adapted these strings in the following file:

I have also adapted a string in the following file:

C:\Windows\Web\RDWeb\Pages\en-DE\password.aspx

Now replace the logo on the side, for example with a lock:

 

Now the password portal also looks appealing to the user:

With a few further adjustments, it can also be made a little simpler or adapted to the corporate identity:

Before the portal is released to the users, a corresponding SSL certificate should be stored.

However, users must also be informed in good time so that they can change their password; this could be done by e-mail. A corresponding article will follow.

Update: Here is an example script to remind users to change their password by e-mail: Mail when password expires

Exit mobile version