I recently helped a co-worker solve a problem with SharePoint and user account password expiration.  The SharePoint site in question uses local accounts to give access to SharePoint.  These accounts are only used for SharePoint access and will never have anything to do with Exchange or logging into a desktop.  Company security policy requires 90 day password changes and also for the initial password to be changed immediately.

The problem arises when one of these SharePoint users log in to the site with ‘User Must Change Password at Next Logon’ checked on their local account (or when the password has expired).  The user can successfully enter their id and password, but they aren’t allowed into the site because they must change their password.  Since they are authenticating through IIS to SharePoint, there are no facilities out of the box to notify them of the ‘must change password’ condition.  With a few simple steps, you can provide this functionality to the user.

There is a big CAVEAT EMPTOR here!  These steps will provide a web based password change mechanism to your users.  These steps will also provide a password change mechanism to those who are not your users.  This public password change page exposes you to a DOS attack against your accounts.  If I know the name of one of your accounts, I can go this page and issue multiple bad passwords in an attempt to change the password.  This will trigger an account lockout (assuming you have enabled account lockout) which will prevent the real user from accessing SharePoint.

Ok. To setup the password change feature, you have to do the following:

1. For the SharePoint site, add a new virtual directory to IIS6 (e.g. named "iisadmpwd") and point it to "c"\windows\system32inetsrv\iisadmpwd".  Ensure it has Read and Run Script permissions. Make sure that anonymous access authentication is enabled for the IISADMPWD virtual directory.
   
2. Exclude this directory in the "Managed Paths" section of the SharePoint site.
   
3. Set the PasswordChangeFlags value for the website to 0 in the IIS metabase. To set the PasswordChangeFlags value in the metabase, launch a command prompt and change to the Inetpub\Adminscripts folder. Type the following command:
   
   adsutil.vbs set w3svc/1/PasswordChangeFlags value
   
   where value is one of the following values 
   
   Value Description
   0       Password changing requires SSL. 
   1       Password changing is permitted on non-secure ports. 
   2       Password changing is disabled. 
   4       Advance notification of password expiration is disabled. 
   
   and w3svc/1 is the default Web site, you’ll need to replace the 1 with the id number of the SharePoint site.
   
   The following sample command shows how to change the metabase
   PasswordChangeFlags setting to 0: 
   
   adsutil.vbs set w3svc/1/passwordchangeflags 0
   
4. Next, we need to tell IIS that we want it to pre-notify people when therir password is about to expire.  This is optional.  To do this, we simply make another metabase entry:
   
   adsutil.vbs set w3svc/1/PasswordExpirePreNotifyDays 4
   
   where value is the number of days before expiration they start getting reminded. And w3svc/1 is the default Web site, you’ll need to replace the 1 with the id number of the SharePoint site.

At this point you should be ready to go.  If you have any problems, there is a good Microsoft Knowledge Base article at http://support.microsoft.com/kb/833734/ on troubleshooting.

The password change functionality in IIS uses a number of pages in the IISADMPWD directory.  Here is a brief explanation of which is which:

/iisadmpwd/achg.asp: This page does the actual password change work.

/iisadmpwd/aexp.asp: This page displays the password change form for a user whose password has expired. Make sure that you type the account name in the "domain\username" format.

/iisadmpwd/aexp3.asp: This page displays the password change form when SSL is not used.

/iisadmpwd/anot.asp: This page appears when a user's password expires earlier than the number of days that are specified in the PasswordExpirePreNotifyDays entry.

/iisadmpwd/anot3.asp: This page appears if a user's password expires earlier than the number of days that are specified in the PasswordExpirePreNotifyDays entry when SSL is not used.