WebSearch Site

Is your server running slowly?  Check with SolarWinds ipMonitor

Get a free evaluation copy of ipMonitor

---

Ezine 170 - QAD PowerShell Script to Change Passwords

Ezine 170 - QAD PowerShell Script to Change Passwords

This is the time of year when many organizations have a new tranche of joiners and leavers.  Thus administrators are looking for a script to set passwords in bulk.  Here is PowerShell's equivalent of a VBScript to control passwords.

Topics for PowerShell Script to Change Passwords

• This Week's Secret
• This Week's Mission
• Objective 1 - To Set a Value for a User's 'Description'
• Objective 2 - QAD Script to Change Passwords
• Objective 3 - Changing the Passwords with userMustChangePassword
• Updates for QAD Passwords

This Week's Secret

Scripts which modify Active Directory accounts have a dilemma; the problem is summed up by the word 'scope'.  Let me explain what I mean.  When testing I am grateful that mistakes are confined to the test OU.  However, once a script works beautifully readers want that code to changes accounts in lots of OUs.  I remember that with VBScript it took a great deal of clever scripting to create a sub-routine which drilled down through child OUs.  With PowerShell just two parameters -searchRoot and -searchScope can reproduce the recursive drill-down that it took VBScript ten lines of code to achieve.

This Week's Mission

This week's mission is to reset passwords for a bunch of users.  The centrepiece of our script is the QADUser object, which you obtain by adding a snapin to your regular PowerShell.  Rather than issuing a big disclaimer that nobody would read, I just want to ask you this question, 'How much protection from a rogue script do you need?'  A separate test domain would be ideal, however, if you you only have one domain, then I recommend you create a test OU with a handful of users.

My biggest fear is that my reader from hell misunderstands the variable which holds the Active Directory reference.  As a result, their script runs amok and changes zillions of ordinary users' passwords.  Hence my strong suggestion to begin with a special OU with a name like 'TEST'.

Pre-requisites and Checklist

a) Download, then install both PowerShell and .Net Framework (from Microsoft's site)
Note: XP, Vista, and Windows Server 200x each requires a different version of PowerShell.

b) Download the QAD (Quest Active Directory) cmdlets.

c) Before you can run any cmdlets, adjust the script execution policy; type this at the PowerShell command-line:
set-ExecutionPolicy remotesigned 

See more about the PowerShell set-ExecutionPolicy command

d) 'Wire-up' the QAD cmdlets with the command:
add-PSSnapin quest.activeroles.admanagement

e) Now your QAD cmdlets are available, and ready for action.

Yet more pre-requisites (sorry)

f) You need access to Active Directory.  To save firewall complications, logon at a domain controller in a test network.  (Virtual PC?)

g) Vital.  You must not only find the variable $OU in my script; but also amend its value to reflect your domain and your Organizational Unit.

Objective 1 - To Set a Value for a User's LDAP Field Called 'Description'

My objective here is two fold.  Firstly, to practice scripting in a relatively harmless fashion, changing a user's property called 'Description' is less intrusive than changing their password.

Secondly, if we add a known description to just a few test users then we have a 'handle' to filter Active Directory.  In Objective 2 I want to create a script which says, 'If Description = xyz, then change the password'.

Learning Points

Note 1:  Never miss a chance to learn a PowerShell verb; mostly you employ 'get', but observe that here we also employ the more potent verb, 'set'.

Note 2:  Observe how I reinforce the idea of piping (|); the output of 'set' becomes the input of FT, which stands for format-Table.

-searchScope Challenge

To test a second parameter called -searchScope I invite you to create a child OU underneath your test OU.  Create, or move a few test accounts into this child OU.  Now you are ready to experiment with this -searchScope parameter.

Try: get-QADUser -SearchRoot $OU -SearchScope 'OneLevel' | `

Other possible values in place of 'OneLevel' are, 'Base' and 'SubTree'.

Objective 2 - QAD Script to Change Passwords

Here is a script which sets the password for users in a named OU.  Examine how the variable $OU specifies the precise location of the user accounts in your domain.

Be aware:  This script has two safety catches.  Firstly, it changes only users with a specific value for Description; secondly I use the -whatIf parameter to test the output.  If the script looks as though it will do as you intended, then remove the last line.

Note 1:   set-QADUser has different properties from get-QADUser, for example, 'set' has a property called -userPassword.

Note 2:  As mentioned previously, this script has a 'where' clause which acts an extra check that you are changing the users with a particular description.  Once you understand how this script works, you could remove the 'where-Object' clause.

Objective 3 - Changing the Passwords with userMustChangePassword

Beware:  This QAD script has NO safety catch.  If you prefer an element of safety, you could append the -whatIf parameter, as in the script above.

Note 1:   userMustChangePassword sounds interesting.  Most of PowerShell's parameters seem much friendlier than the equivalent pwdLastSet and userAccountControl of VBScript.

Note 2:   Setting userMustChangePassword 1 looks easy and logical enough.  However, I only hit upon this value after failing with = "Yes", True, and "1".  You need just numeric one with no speech marks, and no equals sign.

Note 3:   Observe just how I just appended the -userMustChangePassword parameter.  Did I use a comma?  No.  A semi-colon?  No.  Just plain userMustChangePassword 1.

Warning:  If you are not sure of what's happening here, I strongly recommend you add -whatIf to the last line.  For those who know what they are doing it is possible to create a script which changes all Active Directory accounts.  The secret is to persuade the script to start at the domainRoot/.  The way you achieve this dangerous task is to shorten this line:
$OU = "YourDomName/YourOu", to
$OU = "YourDomName/".  

The result would be a script which can 'get', or 'set' all the accounts in your domain.

If you are looking for handy network utilities, try some of the free downloads at Tools4Ever

Summary of PowerShell Change Password

If you have to set, or reset the password for a batch of users it makes sense to develop a PowerShell script.  While it takes not inconsiderable preparation to obtain and install the QAD snapin, it is worth it when it comes to creating scripts which create and modify your Active Directory accounts.

Remember the lifesaver know as 'whatIf':  Any script that makes wide-ranging, and potentially dangerous changes to Active Directory benefits from appending -whatIf to your command.

See more PowerShell QAD Scripts

• PowerShell Home   • Quest QAD   • QADUser   • QAD Password   • QADGroup   • QADComputer

 • Export-CSV   • Import CSV

Please write in if you see errors of any kind.  Please report any factual mistakes, grammatical errors or broken links, I will be happy to not only to correct the fault, but also to give you credit.

 *