I have a very specific situation with one Windows 2008 R2 server in our environment that will be housing sensitive data. We have isolated it from the network as much as possible including keeping it in its own workgroup. This server will host an application that a handful of users will access via a client on their Windows 7 workstations. They will be accessing the server only via a mapped drive that is necessary for the client application to work. The users will need granular permissions to folders within the share that will be mapped, so we cannot use a single generic account. We are obviously going to need to create local user accounts for these users on the server, but we A) do not want them to have statically non-expiring passwords and B) do not want them to have access to the server directly and C) don't want to rely on an admin to manually change the passwords and provide them to the users. The problem is that I have found no method to allow the user's to change their passwords when they expire other than A, B or C. I have experimented with the pspasswd tool from SysInternals, but cannot get it to work. The users are not admins on their machines nor on the server in question, but even with experimenting with local and server admin rights, I can't get the tool to run without throwing "Access is denied" errors. I've looked at a couple of other 3rd party tools (Lepide User Management, DameWare) but they either require an agent or service to be installed, are far to broad in scope, or have the same issue as pspasswd where they don't work without some higher elevated permissions (or not at all). So, my question in a nutshell is pretty much summarized in the title: is there a way to allow non administrators to change their local account passwords on a non-domained server remotely without logging onto the server? As an aside, I was able to get the pspasswd tool to change a local account password on a domained machine running as an administrator, so I know it can change local account passwords remotely under certain circumstances. Thanks, Rob

Can you add a RDS/TS's role on that server ? My first idea would be to publish the "Manage my computer / localuser" from that server. (Iam used to xenapp, be it should be possible with RDS(remote app)) MCP | MCTS 70-236: Exchange Server 2007, Configuring Want to follow me ? | Blog: http://www.jabea.net | http://blogs.technet.com/b/wikininjas/

We're trying to avoid any kind of direct remote access if possible, but it seems less and less likely that we can avoid it.Rob

That is the file you will need to publish; and no, they can't change their password if they does not login, as the password is saved locally on the computer because it's in a workgroup. Any way you choose, they will have to enter their credential. Else you could make your own tool, like ; http://www.codeproject.com/Articles/14284/How-to-change-a-user-s-password-on-a-remote-comput MCP | MCTS 70-236: Exchange Server 2007, Configuring Want to follow me ? | Blog: http://www.jabea.net | http://blogs.technet.com/b/wikininjas/