non-admin users change own active directory password

[flyingboz]

I'm looking at a situation where a client has an application deployed via RemoteApp, no full RDP desktop or web interface available.  As the RemoteApp is published on a network share, it is invoked via a batch file, launched via a published .rdp file.

I've run into an issue with being able to allow users to change their own passwords.  I don't want to have to deal with changing users passwords, or knowing what they are; if I expire or require a password change, the users are simply locked out, there is no opportunity for them to change their password themselves.

Ideally, I'd like to write or find a command line utility I could insert into the batch file that launches the remote app to address this deficiency.

I've poked around in the ActiveDirectory UDF, which seems to be a great tool, but without a function written for the use case where the password change is desired to be forced upon the current user ( who is NOT an admin).  

Note:  net user / domain requires admin rights.  
           pspasswd, while awesome, also requires admin rights.

Does anyone have a UDF or Function utility that they use to allow a user to change their own domain password from the command line?

I've seen a couple of powershell examples, but I'd love to be able to compile or drop in a command line oriented  passwd.exe utility that would work similarly to the *nix equivalent.  

The pspasswd sysinternals utility does not seem to  have this use case in mind -- in my tests you have to be an admin to change a password.

Edited February 8, 2015 by flyingboz

[JLogan3o13]

I've worked with a number of third party applications that allow single sign on as well as self-unlock and self-password reset for non-admin users. In all cases, the application uses a service account that has the rights to perform the action.

While this works, it is not ideal in AutoIt. In essence you would be doing a RunAs, and embedding credentials into a script that could be opened with minimal effort.

[flyingboz]

Thanks for the reply / insight.  I'm not interested particularly in anything more than a command line interface to allow the user to change their own password.  While single-sign on has its uses, its not really germane to the core topic.

If I give users full remote desktop access they have the permissions to change their password via the GUI.  At its most basic, there should be a command line equivalent that asks the user to enter their old password, then their new one w/ confirmation.  Conceptually, there shouldn't need to be any additional proof that the user is who they say they are, they've already been authenticated, and the remoteapp started.

I don't think I should need a service or other 'trickery' involved, because I have access to the user environment  -- I am setting the user default printer in the batch script that runs each time they initiate the remoteapp.

[zalomalo]

While this works, it is not ideal in AutoIt. In essence you would be doing a RunAs, and embedding credentials into a script that could be opened with minimal effort.

 

Time ago, searching in Google for RunAs, in order to find some way to hide a pasword from usual users executing Admin tasks, is when i found and started to use Autoit.

 Now, i have several big projects growing for years, working fine and developped in AutoiT, that is better and gives me much more posibilities than i expected.

After fighting vs UAC for 9 months, because a migration from XP, and winning to NamedPipes this week, i am allmost happy.

Cheers.