PASSWD - CHANGE PASSWORD ON THE COMMAND LINE AND IN BATCH FILES --------------------------------------------------------------- A utility for Windows NT written by Alexander Frink Hermann Schauss Str. 8 D-65232 Taunusstein Germany e-mail: Alexander.Frink@Uni-Mainz.DE February 1997 Contents -------- (a) Introduction (b) Legal stuff (c) Implemented and tested platforms (d) Installation (e) Usage (f) Feedback (a) Introduction ---------------- An increasing number of users, who have been familiar for a long time with command line oriented operating systems like Unix or VMS, and who now have to switch to Windows NT for several reasons they may or may not be responsible for, are frustated of doing everything by clicking with the mouse or using weird keyboard shortcuts, which makes it nearly impossible to seriously automate tasks. Further, one can notice an upcoming popularity of Telnet based Windows NT servers, which replace Unix and VMS machines. Users on these machines may never log on directly to such a server via the well-known CTRL-ALT-DEL logon procedure. These users cannot renounce of doing at least basic tasks on the command line. One of these tasks should be regular password changing. The designated procedure for doing this in Windows NT is to press CTRL-ALT-DEL and choose 'Change Password...', but no command line alternative is available. Windows 95 has a 'net password' command, which is missing in Windows NT. The 'net user' command allows changing passwords, but execution is restricted to users with administrative privileges. This utility offers the possibility for any user to change his password on the command line or from within a batch file. You can even change passwords for other users than yourself (or yourself on a different domain or workstation), as long as you know the current password. (b) Legal stuff --------------- Disclaimer: This program is provided "as is" and comes without any warranty of any kind, either expressed or implied, including but not limited to fitness for a particular purpose or a particular system. In no case shall the author be liable for any damage or unwanted behavior of any computer hardware and/or software, including but not limited to data loss or time spent to recover your system. Do not test this program on your production machines without a backup you know you can restore! Using this program: This program is intended as freeware. This means that anybody - privat users, companies or educational institutions - may USE it WITHOUT A FEE. However, users in a COMMERCIAL environment are encouraged to support the development of free software by sending me any amount of money you believe this utility is worth for your needs. Distributing this program: This program may be distributed under the GNU Public License. See the file LICENSE for details. (c) Implemented and tested platforms ------------------------------------ This program is compiled for Intel machines only. I have access to a DEC Alpha machine, but no C compiler running at the moment. However, it is possible to use it with the FX32 emulator. The program runs on Windows NT, NOT on Windows 95. It has been tested on NT 4.0 only. However, I see no reason why it should not work on NT 3.51. I would appreciate feedback. Passwords can be changed for local users on a NT Workstation/standalone NT Server as well as for domain users from any Workstation in the domain, any standalone Servers and the Domain Controller(s) itself where the user can log on. I have not tested a workgroup environment, please give me feedback as well. (d) Installation ---------------- No installation steps are necessary to use this utility. However, for easy use, it is recommended that either you copy the file 'passwd.exe' to any directory in your path, or you add the directory where 'passwd.exe' resides to your path. If you are using NTFS, make sure to give at least READ (RX) permission for anybody else than yourself to prevent tampering by installing a Trojan Horse instead of the original program. If you are using FAT, you have to trust all your users. No special privileges (user rights) are needed to run this program. (e) Usage --------- 'passwd' is easy to use: simple type 'passwd' on the command line. It will prompt you for your current password (to prevent that someone changes your password while you have left the room and you forgot to lock your workstation), and twice for the new password (to prevent typing errors since you don't see what you type in). - By default, 'passwd' displays a '*' for each character you type in. - You can delete the last character(s) by pressing the Backspace key - You can press CTRL-C at any time before pressing ENTER at the 'Verification:' prompt to stop 'passwd'. - Moving around with the cursor keys is NOT supported. Further, 'passwd' has several command line options: -q quiet mode: This switch suppresses the display of a '*' for each character typed in, so if somebody is watching you while you have to change your password, he won't even have a clue how long your password is (and was). -i info mode: This switch displays the username and the domain, for which the password will be changed. This is useful if you work under several accounts and don't have a 'whoami' utility at hand. -p oldpass newpass passwords: You can use this switch to supply the old and new password directly on the command line, you will not be prompted for a verification. This non-interactive mode can be used in a batch file. However, make sure nobody is watching you while you type in your passwords on the command line, and don't leave any batch files world readable! THIS IS A BIG SECURITY ISSUE AND MAY UNDERMINE YOUR SYSTEM! -u user set user: Change the password for a different user, not yourself. This is POSSIBLE WITHOUT SPECIAL PRIVILEGES, unless the 'Users must log on in order to change password' option in User Manager is checked. All you have to know is the password of the specified user. -d domain set domain: Set password for a different domain or machine than the one you are currently logged on to. Especially useful in conjunction with the -u switch. See notes above. You can set a NULL password interactively if allowed by the system, but not with the -p switch. You can use either -switch or /switch and can combine several switches (e.g. passwd -iq). 'oldpass', 'newpass', 'user' and 'domain' must follow the corresponding switch with a blank. Type 'passwd -?' on the command line to get a short usage reminder. RETURN VALUES ------------- 'passwd' delivers the following return values which can be tested with IF ERRORLEVEL... Value Interpretation 0 The password was changed successfully. 1 An invalid command line was specified. 2 The user has stopped execution with CTRL-C. 3 The 'Verification:' did not match the 'New Password:'. 4 The Windows NT API call for password changing failed. This may include, but is not limited to: - the old password is not correct - the new password is too short - you are not allowed to change your password ... In case of return value 4, an error message is printed. These come from and are sometimes not very clear. Use your imagination! Further, in case the password could not be changed, you will notice a delay of several seconds before the message is printed. I assume this is a security feature to prevent bulk password changing attacks. Changing the password with the usual CTRL-ALT-DEL dialog shows the same behavior. (f) Feedback ------------ If you have any suggestions, ideas for improvements, problems or anything else, send an e-mail to Alexander.Frink@Uni-Mainz.DE or snailmail to Alexander Frink Hermann Schauss Str. 8 D-65232 Taunusstein Germany