Via Angus, I saw a link to a "free web part" that allows a user to change thier password.

A topic close to my heart as a IIS guy (from pre v1) and an 'ex'-infosec guy.

This is NOT cool.

Firstly, SPS/WSS is a partial trust environment, and for damn good reasons. Calling password reset APIs (or System.DirectoryServices for that matter) from this environment is NOT good - hence why password reset is not a part of the product.
SPS is a partial trust environment, the policy implemented is in place by design. Follow the rules...

Secondly, a most importantly, EVERY copy of Windows Server 2003 ships with this functionality - for free - tested and developed by the worlds largest software company (who have some nae bad coders BTW) - and security audited by the leading infosec types (foundstone et all). It's called IISADMPWD and has been in IIS forever.

Some time ago IISADMPWD got a bunch of grief 'cos it had security flaws (HTRs), these have been fixed. Period. Go ahead and try to break it. If you can, email the Security Response Center, you never know, they may hire you.

Creds are THE critical infosec control, they are THE gatekeeper, DO NOT implement some "free" widget which has the potential to compromise them!

IISADMPWD also handles expired creds/about to expire creds/configurable and customisable to use ANY user interface you may desire.

Use what you get free with your Windows 2003 licence - you know it makes sense.

The way this works is...

• u go to http://dodgyportalsite
• u are authenticated (seamlessly or via user prompt)
• IISADMPWD figures your password is about to expire/is expired/etc)
• u are redirected to HTTPS://dodgyportalsite/iisadmpwd/
• u change your creds over a secure channel
• u return to the original url.

simple is best. who do you trust for password management? the vendor who has implemented it as part of the base platform, or a community widget...?

Apologies for the rant, but it had to be said.