My understanding is that, in order to change a user password (either in the
local machine accounts or the domain) the user _must_ be able to locally log
into the computer (or a member computer in a domain). There is no means
that I'm aware of to effect this change.
It may be possible that there are third party password tools that you can
enable for your users, but anytime you expose an interface for security
features, you run the chance of compromising your system.
I'd suggest that, instead of requiring passwords to change, enforce a very
strong passphrase system (requiring at least 15 characters). Why do I
suggest a passphrase of 15 characters, as Mark Minasi has pointed out:
+++
1) Disable complex passwords. They make people type them slowly and shoulder
surfing is easy. Allow all lowercase.
2) Set minimum length to 15.
3) Stop saying "password," say "passphrase." A 15 character password sounds
hard to come up with. But a passphrase? Simple and typed quickly.
Passphrases are easy to remember and easy to make long --
"idontknowimjustmakingthisup" is 27 characters.
=15 chars kills LM hashes automatically, no Reg hacks needed.
=15 chars is uncrackable in practical terms. Assume that we ONLY check
lowercase letters. Assume we've got a cracker that checks one million
possibilities per second. (An insanely optimistic scenario.) It would take
53 million years to try every possibility. Once the 100 terahertz chips
appear then of course things will change...<g>
+++
