Guy's Scripting Ezine 23 - Enabling User Accounts

Contents for Guy's Scripting Ezine 23 - Enabling User Accounts

• This week's secret
• Script to Enable accounts that have been 'Disabled' X
• Force users to change password at next logon
• Out Takes and Answers
• See more on UserAccountControl

Please note:

Since writing this ezine, I have discovered the importance of adding: pwdLastSet to this example script.  In order to force users to change password at next logon, you must include both these properties, UserAccountControl and pwdLastSet in your VBscript.

• Importance of adding : pwdLastSet
• Updates: Explanation of UserAccountControl

This week’s secret - CSVDE does not set passwords

CSVDE is a wonderful utility for importing users from a spreadsheet into Active Directory.  Unfortunately, you cannot use CSVDE to set passwords.  This has repercussions where you have password Group Policies.  In such cases zero length passwords are not permitted.

To spell out the problem: if your domain account policy means that passwords have to be a minimum of 6 characters, then you cannot import accounts with CSVDE and set them to 'Enabled'.  Nor can you set them to: 'User must change password at next logon'.  All that you can do is import the user accounts with CSVDE and create a VBScript to add the passwords and to enable the accounts.

In fact, if you attempt to add a password field to your CSVDE spreadsheet, then import fails with an unfriendly error message. Worse, it seems whenever I try to add a password field to a CSVDE import, the operating system gets so upset by this illegal procedure that I have to start again with a new spreadsheet.

The answer is a VBScript to set the UserAccountControl.

A Script to Enable accounts that have been 'Disabled' X

The purpose of this script is to enable accounts so that users can logon to your domain. The situation is that you have just bulk imported users but all the accounts are disabled. You want people to be able to use their new accounts

The key LDAP property is UserAccountControl, what we need to do change the value from 514 to 512.  With a value of 512, the account will be enabled and the users can logon.

Instructions to Enable Active Directory User Accounts

1. Pre-requisites.  You need either a Windows 2000 or Server 2003 domain controller for this script to work.
2. Change Line 11 "OU=Cowbridge ," to the name of one of your OUs.  Alternatively, create an OU called Cowbridge.
3. Please make sure that the OU has users and that their accounts are disabled.  (Right Click any account, select ('Disable Account')
4. Copy and paste the script below into notepad.
5. Save the file with .vbs extension e.g. AccountControl.vbs
6. Double click and observe the message box
7. Importance of adding : pwdLastSet

Learning Points

Note 1:The method here is .Put, for example objUser.Put

Note 2:If objUser.class = "user"   Here we only wish to enable user accounts not computer accounts.

Note 3:intAccValue allows me to echo the value that I have set for UserAccountControl.  This is useful if I wish to experiment with the values below.

Note 4: See Importance of adding : pwdLastSet

Note 5: See more on UserAccountControl

Troubleshooting

Naturally you have to create or move some accounts into the OU = Cowbridge and make sure they are disabled.

If you are testing a scripts for the second or third time, then you need to Refresh to check that the amendments are working. The secret is to select the OU, then choose Refresh, from the short cut menu. For some strange reason F5 (Function key 5) only works the first time

UserAccountControl Values

You may be wondering what range of settings you can use on the UserAccountControl attribute.  Here is a list of the most common values for a user object.

512 - Enable Account

514 - Disable account

544 - Account Enabled - Require user to change password at first logon

66048 - Password never expires

262656 - Smart Card Logon Required

• Updates: Explanation of UserAccountControl

I discovered the above values by experimenting with the users' property sheets in Active Directory Users and Computers. What I did was set the check boxes in the Account property tab and then exported the users with CSVDE -f account.csv. In truth, I used the - d switch to filter the records so that I only exported users in the Cowbridge OU.

CSVDE -f account.csv -d "ou=cowbridge,dc=cp,dc=com"

Finally, I examined the UserAccountControl column in the spreadsheet, and compared the values with ticks in checkboxes under the Account tab.

Force users to change password at next logon

This is where we put it all together.  A combination of last week's script to set user accounts password, with this week's script to enable the accounts.  Because I want them to change password at next logon, I set the UserAccountControl to be 544.

Learning Points

Note 1: intAccValue is now changed to 544.

Note 2: We insert last week's method, objUser.SetPassword.

Out Takes - Script with mistakes

The idea is if you would like to test yourself by correcting a script with mistakes, then try the following script, and see if you can spot the mistakes.  Answers underneath.

Out Takes - Answers

• Dim strContainer, strLastUser, strDNSDomain, intCounter,
  Either there should be no comma at the end of the line, or you should add another variable: intAccValue
• Dim strContainer, strLastUser, strDNSDomain, intCounter, intAccValue
• Importance of adding : pwdLastSet

Guy Thomas recommends Computer Training Software.  Their topics and material are ideal for getting you started with VBScript.  The videos are easy to follow and you can control the pace.  Try their free demo material and then see if you want to buy the full package. See more about VB Script Training CD.

Home Copyright © 1999-2008 Computer Performance LTD All rights reserved

Please report a broken link, or an error.