Ezine 170 - QAD PowerShell Script to Change Passwords
Ezine 170 - QAD PowerShell Script to Change Passwords
This is the time of year when many organizations have a new tranche of joiners and leavers. Thus administrators
are looking for a script to set passwords in bulk. Here is PowerShell's equivalent of
a VBScript to
control passwords.
Topics for PowerShell Script to Change Passwords
♣
Scripts which modify Active Directory accounts have a dilemma;
the problem is summed up by the word 'scope'. Let me explain what I
mean. When testing I am grateful that mistakes are confined to the
test OU. However, once a script works beautifully readers want that code
to changes accounts in lots of OUs. I remember that with VBScript it
took a great deal of clever scripting to create a sub-routine which drilled down through
child OUs. With PowerShell just two parameters -searchRoot and
-searchScope can reproduce the recursive drill-down that it took VBScript ten
lines of code to achieve.
This Week's Mission is to reset passwords for a bunch of users. The
centrepiece of our script is the QADUser object, which you obtain by adding
a snapin to your regular PowerShell.
Rather than issuing a big disclaimer that nobody would read, I just want
to ask you this question, 'How much protection from a rogue script do you
need?' A separate test domain would be ideal, however, if you you
only have one domain, then I
recommend you
create a test OU with a handful of users.
My biggest fear is that my reader from hell misunderstands the variable
which holds the
Active Directory reference. As a result, their script runs amok
and changes zillions of ordinary users' passwords. Hence my strong suggestion
to begin with a special OU with a name like 'TEST'.
Pre-requisites and Checklist
a) Download, then install both PowerShell and .Net Framework (from
Microsoft's site)
Note: XP, Vista, and Windows Server 200x each requires
a
different version of PowerShell.
b) Download the
QAD
(Quest Active Directory) cmdlets.
c) Before you can run any cmdlets, adjust the script execution policy; type this
at the PowerShell command-line:
set-ExecutionPolicy remotesigned
See more about the
PowerShell set-ExecutionPolicy command
d) 'Wire-up' the QAD cmdlets with the command:
add-PSSnapin
quest.activeroles.admanagement
e) Now your QAD cmdlets are available, and ready for action.
Yet more pre-requisites (sorry)
f) You need access to Active Directory. To save firewall
complications, logon at a domain controller
in a test network. (Virtual PC?)
g) Vital. You must not only find the variable $OU in my script;
but also amend its value to reflect your domain and your Organizational
Unit.
Guy Recommends: Solarwinds' Free Bulk Import Tool
Import users from a spreadsheet. Just provide a list of the
users with their fields in the
top row, and save as .csv file. Then launch this FREE utility and match
your fields with AD's
attributes, click and import the users. Optionally, you can
provide the name of the OU where the new accounts will be born.
There are also two bonus tools in the free download, and all 3 have been approved by Microsoft:
- Bulk-import new users into Active Directory.
- Seek and zap unwanted user accounts.
- Find inactive computers.
Download your FREE bulk import tool.
My objective here is two fold. Firstly, to practice scripting
in a relatively harmless fashion, changing a user's
property called 'Description' is less intrusive than changing their password.
Secondly, if we add a known description to just a few test users then we
have a 'handle' to filter Active Directory. In Objective 2 I want to create a script which says, 'If
Description = xyz, then change the password'.
# PowerShell QAD script to change a
user's description
# Author: Guy Thomas
# Version 1.2 August 2008 tested on PowerShell v 1.0
$OU = "YourDomName/YourOu"
get-QADUser -SearchRoot
$OU | `
set-QADUser -Description "Forgotten password" |`
FT FirstName,
LastName, description, company, office -auto
Learning Points
Note 1: Never miss a chance to learn a PowerShell
verb; mostly you employ 'get', but observe that here we also employ the more
potent verb, 'set'.
Note 2: Observe how I reinforce the idea of piping (|);
the output of 'set' becomes the input of FT, which stands for
format-Table.
Calculating IP Address
ranges is a black art, which many network managers solve by creating custom
Excel spreadsheets. IPAT cracks this problem of allocating IP addresses
in networks in two ways:
For Mr Organized there is a nifty subnet
calculator, you enter the network address and the subnet mask, then IPAT
works out the usable addresses and their ranges.
For Mr Lazy IPAT
discovers and then displays the IP addresses of existing computers.
Download the Free IP Address Tracker
-searchScope Challenge
To test a second parameter called -searchScope I invite you to create a child OU underneath your test OU. Create,
or move a few test accounts into this child OU. Now you are ready to
experiment with this -searchScope parameter.
Try: get-QADUser -SearchRoot $OU -SearchScope 'OneLevel' | `
Other possible values in place of 'OneLevel' are, 'Base' and 'SubTree'.
Here is a script which sets the password for users in a named OU.
Examine how the
variable $OU specifies the precise location of the user accounts
in your
domain.
Be aware: This script has two safety catches. Firstly, it
changes only users with a specific value for Description; secondly I use
the -whatIf parameter to test the output.
If the script looks as though it will do as you intended, then remove the last line.
# PowerShell QAD script to change users' passwords
# Author: Guy
Thomas
# Version 1.2 August 2008 tested on PowerShell v 1.0
$OU = "YourDomName/YourOu"
get-QADUser -searchRoot $OU -searchScope
'OneLevel' | `
Where-Object {$_.description -like "Forgotten
password*"} | `
set-QADUser -userPassword "Lapt00p$" `
-whatIf
Note 1: set-QADUser has different properties
from get-QADUser, for example, 'set' has a property called -userPassword.
Note 2: As mentioned previously, this script has a 'where' clause which acts an extra check that you are changing the users with
a particular description. Once you understand how this script works,
you could remove the 'where-Object' clause.
Beware: This QAD script has NO safety catch. If you prefer an
element of safety, you
could append the -whatIf parameter, as in the script above.
# PowerShell script to change users' passwords
# Author: Guy
Thomas
# Version 1.2 August 2008 tested on PowerShell v 1.0
$OU = "YourDomName/YourOu"
get-QADUser -searchRoot $OU -searchScope
'OneLevel' `
Where-Object {$_.description -like "Forgotten
password*"} | `
set-QADUser -userPassword "Lapt00p$" -userMustChangePassword 1
Note 1: userMustChangePassword sounds
interesting. Most of PowerShell's parameters seem much friendlier than the
equivalent pwdLastSet and userAccountControl of VBScript.
Note 2: Setting userMustChangePassword 1 looks
easy and logical enough. However, I only hit upon this value after
failing with = "Yes", True, and "1". You need just numeric one with no
speech marks, and no equals sign.
Note 3: Observe just how I just appended the
-userMustChangePassword parameter. Did I use a comma? No.
A semi-colon? No. Just plain userMustChangePassword 1.
Warning: If you are not sure of what's happening
here, I strongly recommend you add -whatIf to the last line. For those who know
what they are doing it is possible to create a script which changes all
Active Directory accounts. The secret is to persuade the script to
start at the domainRoot/. The way you achieve this dangerous task is
to shorten this line:
$OU = "YourDomName/YourOu", to
$OU = "YourDomName/".
The result would be a script which can 'get', or 'set' all the accounts
in your domain.
If you are looking for handy network utilities, try some of the free downloads at
Tools4Ever
Summary of PowerShell Change Password
If you have to set, or reset the password for a batch of users it makes
sense to develop a PowerShell script. While it takes not
inconsiderable preparation to obtain and install the QAD snapin, it is worth
it when it comes to creating scripts which create and modify your Active
Directory accounts.
Remember the lifesaver know as 'whatIf': Any script that makes wide-ranging, and
potentially dangerous changes to Active Directory benefits from appending -whatIf
to your command.
If you like this page then please share it with your friends
See more PowerShell QAD Scripts
• PowerShell Home •
Quest QAD •
QADUser •
QADGroup •
QADComputer
•
Export-CSV •
Import CSV •
QAD Password •
Add-PSSnapin
•
Get-AdUser -filter •
Windows
PowerShell •
Windows PowerShell .Net
Please email me if you have a better example script. Also please report any factual mistakes, grammatical errors or broken links, I will be happy to correct the fault.
Download my ebook:
Getting Started with PowerShell - only $9.25
You get 36 topics organized into these 3 sections:
1) Getting Started
2) Real-life tasks
3) Examples of Syntax.
In addition to the ebook, you get a PDF version of this Introduction to PowerShell ebook It runs to 120
pages of A4.
|
