I want to implement a self reset password functionality for Windows 7 users. When the Logon screen prompts the domain users should be presented with a forgot password button which will open the password reset wizard. So the problem is how to add a command button to the standard windows logon screen?
I know about GINA in Windows XP as mentioned here:
Adding command button to Windows Logon screen
But this topic is 3 years old, and with Vista / Windows 7 Microsoft came up with "Microsoft Windows Credential Provider".
Those button are called "Tiles", and they are implemented in a Credential Provider. Anything you read about a Gina will not work in Vista or later.
Those tiles a created by the LogonUI.exe process, itself launched by Winlogon.exe. LogonUI.exe runs with high priviledges. You don't want to run anything there. Besides, any wizard you run will run under the system account. Security issues aside, anything that resets the password of the current user will not work.
But let's assume that you have a solution that can reset a user's password. Like a web site (or a local application) that :
Ask for the user's name
Ask some security questions
Connects to Active Directory to reset the password
Then here is a way to implement the functionality.
Create a user, a domain user if possible. Give it a name and a password easy to remember, like "reset" and "reset". Make shure that everybody knows the password.
Change the shell of that user to Internet Explorer, that you would be running in kiosk mode, pointing to your web application.
Now when someone wants to reset their password, here is what they will do :
Use the standard Windows Credential Provider, like they do every day, but with the user "reset" and the password "reset".
Instead of the normal Windows shell, they will be presented with your password reset web application.
The user resets their password and they are instructed to log off using CTRLATLDEL
They can log in with their own username and brand new password.
This idea can be improved upon if you are ready to write some code:
Instead of Internet Explorer, write a simple web application that wraps the web browser control. if the application is closed, or any other funny business, logoff.
Hack one of the Credential Provider samples to supply the well know password reset username and password, making password reset merely a click away
Change that password reset credential provider's image to reflect the password reset functionnality.
Related
I am trying to make a Windows custom credential provider using this reference https://learn.microsoft.com/en-us/samples/microsoft/windows-classic-samples/credential-provider/
https://www.microsoft.com/en-us/download/details.aspx?id=53556#:~:text=Credential%20providers%20are%20used%20in,for%20Windows%20Vista%20and%20higher
The idea is:
I kept the username and password inside the pc
I use my own MFA (just simple push notification to my android phone)
If I confirm the notification, I will use the stored username & password to login
It works well whenever I match the password and Username, and login using my "Credential Provider"
Then I realize, after I login to my Microsoft username, The next login will be prompted PIN instead of password like this:
I know I can keep my Microsoft account's Password to my offline database and my idea is still working.
However, since my password is too long, I want to keep the pin instead of the password
Does Windows credential provider support PIN authentication?
I tried to google it, and it just showing the smartcard's pin instead of the Windows Logon Pin
------------------- UPDATE ------------
Looks like I did not write the question clearly
I want to extend my current Credential Provider that able to automatically sign in using password and Windows Hello PIN.
So the Database will consist of username and PIN (that match with Windows Hello PIN) or Password (that match with Local account password)
Is it possible?
Have a look how you set-up new logon using Picture or PIN credential providers from Microsoft Hello - initially you enter your password.
So these providers store this collected data in some internals and later provide them as collected by themself.
Nobody restrict you from doing the same way.
------------------- UPDATE ------------
Have a look at SampleWrapExistingCredentialProvider
Okay, I think I did something stupid here. I had forgotten my Win10 user account (steph) Password. This is an admin account.
1) Using a Linux-type usb-boot utility, I've been able to blank the password. Upon reboot, I entered a blank password but I still cannot login, it seems that my account physically on the computer now doesn't match my Hotmail credentials -or something- and I'm still locked out.
2) Using the same Linux usb boot utility, I've unlocked the 'Administrator' account. Now I can login using the 'Administrator' account but from the Control Panel, I cannot change my own user account (steph) password, the option for it is just not there (perhaps it's because the password is believed to be blank?)
3) Later I've been able to find the piece of paper on which I wrote my original password for my own account.
Q: Is there's a way to set my original password back to what it was in order to unlock my account?
Thanks.
Many Linux usb boot utilities can work with local account only. I suggest you set up a new Microsoft account on your PC, and point it to your old profile directory. Then remove your original Microsoft account from Control Panel.
I want to do (programmatically, using WinAPI) exactly the same what Windows does when you click on 'Switch User' in the Start Menu. Namely, to show the screen where all available user accounts are listed and you can switch to another account still being logged on as the previous one. As far as I know it's called 'fast user switching'. I have no credentials, my task is to let users of my app switch to another account using their own credentials.
Also, is there a way to know, if the option is enabled in the Start menu? Because if it is not, I don't want to show the option in my app as well.
UPDATE
I have used ::ExitWindowsEx() for logging off, but there is no EWX_ flag for switching.
Regards,
It sounds like you want the WTSDisconnectSession() function:
Disconnects the logged-on user from the specified Remote Desktop
Services session without closing the session. If the user subsequently
logs on to the same Remote Desktop Session Host (RD Session Host)
server, the user is reconnected to the same session.
You use it like this:
WTSDisconnectSession(WTS_CURRENT_SERVER_HANDLE, WTS_CURRENT_SESSION, FALSE);
I want to know if it's possible to connect users to my application using Active directorylogin and password but without ask the users to re-enter them.
What i actually do :(disabled anonymous auth/enabled Win auth)
1- the users poweron their desktop and enter their login and password (Active directory)
2- open the application and re-enter the same login/password (again)
I want to avoid the second step, and get the information i need from the session(the name, username...)
Is that possible ?
If the browser supports ntlm they shouldn't get prompted.
here is an article on how to do this.
Authenticating Users with Windows Authentication
For support in specific browsers search:
"ntlm firefox"
"ntlm chrome"
etc...
To get the actual users username (User.Identity.Name) you see: HttpContext.User Property
see also:
IIdentity Interface
Background:
I have a JScript that runs when the computer starts up (from task scheduler). The script does some magic and determines if a user should be allowed to login at all. It starts by disabling all user accounts and then if a user is to be allowed in it enables the users account by firing the 'net user' command using wshShell.Exec(). All this works well and the accounts are correctly enabled/disabled.
Problem:
However the vista graphical login screen has no idea that user accounts have been enabled/disabled and does not refresh itself to show/remove the user account pictures. Actually it does refresh itself if I wait long enough at the login screen to start the screensaver. When the mouse is then moved the visa login screen returns refreshed. However I want to be able to restart/refresh the login screen from my script. Any ideas?
What I have already tried:
I tried launching winlogon.exe from
the script, it had no effect
I tried launching logon.scr from the ecript
to trigger the screensaver manually,
it did not trigger.
If you need the script, look here: http://code.google.com/p/truecryptautomount/
Anything you do from the service's context will not affect it as the login screen is an entirely different session/desktop. This is a security feature designed to stop user programs from emulating the login screen to capture a password. CTRL+ALT+DEL will always bring you to this alternate desktop/session.
The screensaver you are starting is not the same one you see start on the login screen. With that in mind, you should be able to configure the screensaver for the system account's profile to have a very short wait time. You can probably learn what you need to know from this article:
http://blogs.technet.com/heyscriptingguy/archive/2006/03/08/how-can-i-configure-the-screensaver-used-when-no-one-is-logged-on-to-a-computer.aspx
Hope this helps,
-Oisin