Adding a button to the Windows 7 Logon screen

windows active-directory credential-providers
BastianW picture BastianW · Nov 8, 2012 · Viewed 12.3k times · Source

I want to implement a self reset password functionality for Windows 7 users. When the Logon screen prompts the domain users should be presented with a forgot password button which will open the password reset wizard. So the problem is how to add a command button to the standard windows logon screen?

I know about GINA in Windows XP as mentioned here: Adding command button to Windows Logon screen

But this topic is 3 years old, and with Vista / Windows 7 Microsoft came up with "Microsoft Windows Credential Provider".

Answer

ixe013 picture ixe013 · Nov 9, 2012

Those button are called "Tiles", and they are implemented in a Credential Provider. Anything you read about a Gina will not work in Vista or later.

Those tiles a created by the LogonUI.exe process, itself launched by Winlogon.exe. LogonUI.exe runs with high priviledges. You don't want to run anything there. Besides, any wizard you run will run under the system account. Security issues aside, anything that resets the password of the current user will not work.

But let's assume that you have a solution that can reset a user's password. Like a web site (or a local application) that :

  1. Ask for the user's name
  2. Ask some security questions
  3. Connects to Active Directory to reset the password

Then here is a way to implement the functionality.

Create a user, a domain user if possible. Give it a name and a password easy to remember, like "reset" and "reset". Make shure that everybody knows the password.

Change the shell of that user to Internet Explorer, that you would be running in kiosk mode, pointing to your web application.

Now when someone wants to reset their password, here is what they will do :

  1. Use the standard Windows Credential Provider, like they do every day, but with the user "reset" and the password "reset".
  2. Instead of the normal Windows shell, they will be presented with your password reset web application.
  3. The user resets their password and they are instructed to log off using CTRLATLDEL
  4. They can log in with their own username and brand new password.

This idea can be improved upon if you are ready to write some code:

  • Instead of Internet Explorer, write a simple web application that wraps the web browser control. if the application is closed, or any other funny business, logoff.
  • Hack one of the Credential Provider samples to supply the well know password reset username and password, making password reset merely a click away
  • Change that password reset credential provider's image to reflect the password reset functionnality.

Related questions

Get user's non-truncated Active Directory groups from command line

I often use the net user command to have a look at AD groups for a user: net user /DOMAIN <username> This works well, however the group names are truncated to around 20 characters. And in my organization, most …

Read More
Domain Account keeping locking out with correct password every few minutes

I have user whos account is keeping locking out every 30 minutes. Done all the checks, remove any cache passwords, created new profile, delete password from IE. It locks out even when user is using his account (he is logged in ) …

Read More
Is there a way to check AD group membership for a computer?

I am trying to check computer group membership through Powershell. I want to be able to specify a certain computer name and find which groups that computer is in but from a Powershell script. I am planning on running the …

Read More