Guy's Scripting Ezine 122 - Changing Passwords
Guy's Scripting Ezine 122 - Changing PasswordsN.B. Updates from D.A. and Sean Hook
♣
What I can do for you this week is create a script which will reset Active Directory passwords. Last week I was rude about
DontDisplayLastUserName, three readers
kindly sent in valid reasons for using this setting to clear the logon dialog box of the last user's name. When will Guy learn not to be rude about a setting! This week I have a request of you, can
you help me and the other readers by giving us a
command that will 'walk the Active Directory tree'. My request is for a VBScript loop that will check not just one OU, but all OUs. What I am after is the equivalent of the DOS command dir /s where
/s says look in all the sub-directories. Follow up to Guy's request to: 'Walk the Active Directory Tree'I am delighted to say that it does seem possible to write code that will interrogate not
one OU, but the entire Active Directory tree. Here is the next stage of my quest to 'Walk the Active Directory Tree'. D.A kindly sent this script in response to my request. It looks good and comprehensive. I will write more
about it when I have dissected it more fully. Meanwhile you can download D.A's OUListing Sean Hook kindly sent this snippet. The
idea is to create an ADO connection. I have got a similar script to read from Active Directory, but I am yet to persuade it to write values. The key command is subtree.
Below is a command line I am creating in one of my scripts. You set the value to search for, then the attributes of the object you want, then how to search. The final value "subtree" is the parameter you
specify to LDAP to view all subcontainers. Example:
oCommand.CommandText = "<LDAP://" &
oRootDSE.get("defaultNamingContext") & _
">;(&(memberOf=" & sGroupName
&"));extensionAttribute1,sn,givenName,sAMAccountName;subtree"
Why passwords this week? The answer is that in my mind's eye, I see a lot of schools and colleges returning after the summer break. When their holiday euphoria wears off, administrators face the problem that over the
vacation the students have forgotten their
passwords. In addition, they may need to create passwords for the new students, or 'joiners' in the case of a corporation.
Therefore our mission is to create a VBScript which will not only reset the password, but also ensure that the users change this temporary password at first logon. To digress, I once went to a military
establishment where the sergeant major had the names and passwords on slips of paper; the privates marched into his office, read their piece of paper, memorised it, then had to eat the slip of paper.
Finally, they made a quick about turn, marched out and logged on at their computers. I expect you will use a different method to inform the users' of their passwords!
Last week I was serious about making greater use of the 'If..then..end if' logic. In the case of resetting the passwords we could add extra logic to say, 'Script, only reset the password if a certain
condition is met'. At its simplest, the logic could say, 'If this is a user account and not a computer account, then reset the password'.
Let us assume that you have inherited the situation where all the user accounts are in the Active Directory users container, as opposed to filed in OUs. Potentially, you could irritate members of staff
who don't need their password reset. Judicious use of logic will save you getting abuse from those who did not need their password changing. One example of the logic I recommend is, 'If Description = First Year then reset the password'.
Another example, 'If Description is not equal to staff, go ahead and reset the password'.
Perhaps you can see why I would love a command which would 'walk the active directory tree, and reset every account that matched my criteria. I say again, if you know of such a command, please share it
with me and I will publish the code with a credit to you.
Guy Recommends: Solarwinds' Free Bulk Import Tool
Import users from a spreadsheet. Just provide a list of the
users with their fields in the
top row, and save as .csv file. Then launch this FREE utility and match
your fields with AD's
attributes, click and import the users. Optionally, you can
provide the name of the OU where the new accounts will be born.
There are also two bonus tools in the free download, and all 3 have been approved by Microsoft:
- Bulk-import new users into Active Directory.
- Seek and zap unwanted user accounts.
- Find inactive computers.
Download your FREE bulk import tool.
Pre-requisites You really do need an active directory domain for this VBScript to work. Either create an OU called students and populate it with a few users, or else change the
value of strOU to match your organization.
Instructions
- Copy and paste the script below into notepad or get a script editor such as OnScript.
- Save the file with .vbs extension e.g. StudentPwd.vbs
- Double click your script and check the message box.
- Logon as one of the user accounts and check the password and the fact you have to change it at first logon.
' StudentPwd.vbs
' Example VBScript to change a user's password
' Version 1.2 - August 2006
' ---------------------------------------------------------'
Option Explicit
Dim objOU, objUser,
objRootDSE
Dim strContainer, strDNSDomain, strPassword
Dim intCounter, intAccValue, intPwdValue
' --------------------------------------------------------'
' Note: Please change OU=Students, to
reflect your domain
' --------------------------------------------------------'
strContainer = "OU=students, "
strPassword = "F@rst0ne"
intAccValue = 544
intPwdValue = 0
intCounter = 0
'
-------------------------------------------------------'
' Makes the user change F@rst0ne password at first logon
' -------------------------------------------------------'
Set objRootDSE =
GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")
strContainer = strContainer & strDNSDomain
set objOU =GetObject("LDAP://" & strContainer )
For each objUser in
objOU
If objUser.class="user" then
objUser.SetPassword strPassword
objUser.SetInfo
objUser.Put "pwdLastSet", intPwdValue
objUser.SetInfo
objUser.Put "userAccountControl", intAccValue
objUser.SetInfo
intCounter = intCounter +1
End if
next
WScript.Echo strPassword & " is Password. UserAccountValue = " _
& intAccValue & vbCr & intCounter & " accounts changed"
WScript.Quit
' End of change password example VBScript
VBScript Learning PointsNote 1: .SetInfo is a vital scripting command, the equivalent of pressing the OK button in the dialog box. Note 2: userAccountControl also has values
of 512 enable and 514 disabled. In this instance we set it to 544, meaning change password at next logon. Note 3: To complete the change password at next logon we need to set pwdLastSet = zero
Guy Recommends: A Free Trial of the Network Performance Monitor
(NPM)
Solarwinds'
Orion performance monitor
will help you discover what's happening on your network. This
utility will also guide you through troubleshooting; the dashboard will
indicate whether the root cause is a broken link, faulty equipment or
resource overload.
Perhaps the NPM's best feature is the way it suggests solutions to network
problems. Its
second best feature is the ability to monitor the health of individual VMWare
virtual machines. If you are interested in troubleshooting, and creating
network maps, then I recommend that you take advantage of Solarwinds' offer.
Download a free trial of
the Network Performance Monitor.
In this example we will add logic. The underlying idea is that we only change the user's password if another user.property matches a particular value. I have selected
Description = "Year 1". It is my greatest joy if you would experiment both with the property - description, and the value - "Year 1". Naturally you have to make the corresponding adjustments to the
values of your user accounts otherwise, when the script runs nothing will happen. This script also adds an 'If' statement to only change user accounts.
' LoopPwd.vbs
' Example VBScript to change a user's password
' Version 2.3 - August 2006
' ---------------------------------------------------------'
Option Explicit
Dim objOU, objUser,
objRootDSE
Dim strContainer, strDNSDomain, strPassword
Dim intCounter, intAccValue, intPwdValue
' --------------------------------------------------------'
' Note: Please change OU=Students, to
reflect your domain
' --------------------------------------------------------'
strContainer = "OU=students, "
strPassword = "F@rst0ne"
intAccValue = 544
intPwdValue = 0
intCounter = 0
'
-------------------------------------------------------'
' Makes the user change F@rst0ne password at first logon
' -------------------------------------------------------'
Set objRootDSE =
GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")
strContainer = strContainer & strDNSDomain
set objOU =GetObject("LDAP://" & strContainer )
' Note first 'If
Then' to check it's a user
' Note second 'If Then' to check Description = "Year 1"
' -------------------------------------------------------'
For each objUser in objOU
If objUser.class="user" then
If objUser.Description ="Year 1" then
objUser.SetPassword strPassword
objUser.SetInfo
objUser.Put "pwdLastSet", intPwdValue
objUser.SetInfo
objUser.Put "userAccountControl", intAccValue
objUser.SetInfo
intCounter = intCounter +1
End If
End if
next
WScript.Echo strPassword & " is Password. UserAccountValue = " _
& intAccValue & vbCr & intCounter & " accounts changed"
WScript.Quit
' End of change password example VBScript
If you are looking for handy network utilities, try some of the free downloads at
Tools4Ever
Learning PointsNote 1: This script uses one of my favourite constructions, If (test) then...(do).. End If. Moreover, it uses 'If' not once but twice. The
first loop filters only user accounts, (as opposed to computer accounts); while the second loop filters users whose description matches "Year 1" Note 2:
Challenge 1:
Try different criteria for the second 'If Then' loop. I challenge you to research more useful ldap properties, for example, physicalDeliveryOfficeName, department or location. Challenge 2: Try
different values for userAccountControl, for example 514, which disables the account.
Creating a basic script to
change the password is straightforward. You also need a few more commands, such as pwdLastSet to control precisely what happens at first logon. Going the extra distance and employing 'If then' logic
makes the script more flexible.
See More Active Directory VBScripts for Passwords
• User Spreadsheet • Add Users to Groups • Create
Users • Free
CSV Importer
• Ezine 83 Passwords •
Ezine 85 LastLogon • Ezine
86 LastLogon • Ezine 122 Passwords
• Ezine 128 IUSR Passwords •
VBScript change
password • Tool Kit • Ezines
| 
