Domain Password is a 32-bit Windows NT4/2K/XP/2003/Vista/Win7/2008/Win8/2012/Win10 CGI program to let users securely change their Windows Domain/Active
Directory passwords using their web browser. Password change pages can be completely customized and made available
on your intranet or the Internet.
Extremely simple for both the end user and administrator.
No HTML to write or maintain (unless you want to)
No registry entries to edit
Generates a log of all successful and failed attempts
Here's a sample log file: dompass.log
Simple password changing using a browser is especially useful for organizations with dial-up/VPN remote users, those
with workstations running a variety of operating systems, those running Exchange, or anyone else who wants to give their users
a extraordinarily easy way change their own passwords without the hassle of logging onto the domain, pressing obscure
key combinations, or figuring out how their particular operating system changes passwords.
Domain Password also works on SSL-enabled web servers to provide fully encrypted sessions between the server and browser.
Domain Password is primarily designed for use on Windows Domains/Active Directory trees. The program
can run either on Workstation or Server versions of Windows NT4/2K/XP/2003/Vista/Win7/2008/Win8/2012/Win10. Users may also change passwords
for multiple domains.
You may also install Domain Password on stand-alone machines that are not part of a domain; in this
case, you can use Domain Password to change the password only on the machine on which it runs.
Requirements
Domain Password is a client-server program. The client portion is
a web browser, and the server portion is a web server running
Domain Password. No additional software or configuration is needed
for the client, which means you may change domain passwords using
any web browser on any operating system as long as the browser
supports HTML forms.
Copy the executable file to your web server's CGI
directory (usually cgi-bin or scripts, but may be something else depending
on your server and how it's configured).
Refer to your web server's documentation to ensure that standard CGI is enabled
for the server, and that the CGI directory has the proper execute permissions.
On IIS, make sure that the IUSR_ account has Change rights in
the temp directory. On other servers, ensure that the SYSTEM account, or user
account under which the server runs, has Change rights in the temp directory.
Note: Enabling CGI on IIS for Windows Server 2003 and later requires additional configuration.
See this article from our Knowledgebase for details.
If you are having trouble getting CGI programs to run, especially on IIS,
then you might want to search our knowledgebase
for help. Answers to the most-frequently asked questions are there.
Copy dompass.ini to the same directory as dompass.exe. Leave dompass.ini unchanged
until you are sure Domain Password is working satisfactorily, then edit to suit
your tastes. Note, you may need to add domain information per this KB article.
Add a link to dompass.exe on any page you want. For example, if your CGI directory is
CGI-BIN, add this link: <a href="/cgi-bin/dompass.exe?">Change Password</a>
To use Domain Password on any web server, you must
Adjust the Policies/Account settings in User Manager and turn off the "Users must log on in order to change password" checkbox.
Adjust the Policies/User Rights settings in User Manager and add "Log on as a batch job" for "everyone" (or those users you want to be able to use Domain Password).
Note: All regular Windows account restrictions apply. For example, if you have passwords restricted so they can only be changed every 10 days,
then users will not be able to change passwords with DomPass more often then every 10 days. Ditto for allowing blank passwords, remembered
passwords, and so forth. DomPass does not circumvent any Windows policies or security constraints.
Version History
1.4.b.20030217 - Change log file to report domain\user instead of just user.
1.4.b.20021108 - Added [Domains] section to dompass.ini file to provide drop-down optional list.
Documentation is within the dompass.ini file.
1.3.b.20010803 - Fixed bug that prevented plus sign from being recognized as a valid character
within a password; replaced registry-handling library with newer module.
1.2.b.20000214 - Added internal error handling for MSVC runtime deallocation errors. Improved code
to retain domain and username information on form in case of error.
1.2.b.19990510 - Alpha version released; minor internal improvements in error handling
Username:
Current Password:
New Password:
New Password Again:
Note: Passwords are case-sensitive on this system. Password, PASSWORD, and password are three different passwords.
Version 1.1 (build 970302 or later) allows you to customize the entire format, as
much or as little as you want.
Domain Password is self-configuring. It will discover the name of your primary domain controller
and generate the proper HTML. You may override this by specifying a machine name on the PDC=
line in dompass.ini. Specifying a PDC also makes the program more efficient, since the lookup
can take a noticeable amount of time on some networks.
You may customize most aspects of Domain Password by editing the dompass.ini file. All of the
text, and most of the HTML, can be changed by editing this file. To make Domain Password
operate in Portuguese, for example, just replace the English text messages with the Portuguese
equivalents.
Here is the default
dompass.ini file. (It is included in the ZIP archive when you download.) All of the options are
well-documented in the INI file itself, so there's not much point in repeating the instructions
here.
By default, Domain Password looks for dompass.ini in the same directory where the
you keep dompass.exe. This is also where Domain Password will write its log file, dompass.log.
As of version 1.1.b.980925, you may change a registry setting to specify a different
directory for dompass.ini and dompass.log. This feature was added to enhance security
for servers that allow read access to all files in the CGI-BIN or SCRIPTS directory. If
you are upgrading from a previous version, Domain Password will create the registry entry
for you the first time you run Domain Password after the upgrade.
To change the directory where the config files are stored, use REGEDIT or REGEDT32 to modify
Domain Password's ConfigDir setting:
Double-click on the ConfigDir entry. This is a REG_SZ (string) value, set to blank by
default. Type the drive and path you want to use. For example, C:\dompass.
Create the directory you specified above, and put the dompass.ini file in that directory.
Use File Manager or Explorer to set the file permissions to Change for the users who
should be able to access this file. Under IIS, this is usually the group Authenticated
Users, and/or the user IUSR_machinename. Under other web servers, you will usually need
to specify the account under which the web server runs, usually LocalSystem or System.
As long as the drive and directory you specify isn't shared, this will allow Domain
Password to read the dompass.ini file and write the dompass.log file in this directory,
but not allow access in any other way.
