Q. How can I control access to the IISADMPWD virtual directory?

A. When you use the default IISADMPWD virtual directory to enable a Web page where users can change passwords, as I discussed in the FAQ "Does Windows Server 2003 provide a way to let users change their passwords remotely on the Web?", the Microsoft IIS server sends the user's password information unencrypted over the network, which creates a security risk. To avoid transmitting unencrypted passwords, you must enable Secure Sockets Layer (SSL) by following these steps:

  1. Start a command prompt by clicking Start, Run and typing
  2. Navigate to the C:\Inetpub\Adminscripts directory.
  3. At the command prompt, type
    adsutil.vbs set w3svc/1/PasswordChangeFlags 0
    This command runs the adsutil.vbs script, which sets the password change option (specified by the PasswordChangeFlags value). The w3svc/1 parameter means the first default Web site; 0 means SSL is required. Setting the PasswordChangeFlags value to 1 specifies that SSL isn't used. (Setting the value to 2 disables the user's ability to change the password.)
  4. Restart the IIS server to effect the change.
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.