Guy's Scripting Ezine 23 - Enabling User Accounts
Contents for Guy's Scripting Ezine 23 - Enabling User Accounts
Since writing this ezine, I have discovered the importance of adding: pwdLastSet to this example script. In order to force users to change password at next logon, you must include both these properties, UserAccountControl and pwdLastSet in your VBscript.
CSVDE is a wonderful utility for importing users from a spreadsheet into Active Directory. Unfortunately, you cannot use CSVDE to set passwords. This has repercussions where you have password Group Policies. In such cases zero length passwords are not permitted.
To spell out the problem: if your domain account policy means that passwords have to be a minimum of 6 characters, then you cannot import accounts with CSVDE and set them to 'Enabled'. Nor can you set them to: 'User must change password at next logon'. All that you can do is import the user accounts with CSVDE and create a VBScript to add the passwords and to enable the accounts.
In fact, if you attempt to add a password field to your CSVDE spreadsheet, then import fails with an unfriendly error message. Worse, it seems whenever I try to add a password field to a CSVDE import, the operating system gets so upset by this illegal procedure that I have to start again with a new spreadsheet.
The answer is a VBScript to set the UserAccountControl.
The purpose of this script is to enable accounts so that users can logon to your domain. The situation is that you have just bulk imported users but all the accounts are disabled. You want people to be able to use their new accounts
The key LDAP property is UserAccountControl, what we need to do change the value from 514 to 512. With a value of 512, the account will be enabled and the users can logon.
Instructions to Enable Active Directory User Accounts
' Set AccPwd.vbs
Note 0: Script kindly modified by Michael Shatswell
Note 1: The method here is .Put, for example objUser.Put
Note 2: If objUser.class = "user" Here we only wish to enable user accounts not computer accounts.
Note 3: intAccValue allows me to echo the value that I have set for UserAccountControl. This is useful if I wish to experiment with the values below.
Note 4: See Importance of adding : pwdLastSet
Note 5: See more on UserAccountControl
Import users from a spreadsheet. Just provide a list of the users with their fields in the top row, and save as .csv file. Then launch this FREE utility and match your fields with AD's attributes, click and import the users.
Optionally, you can provide the name of the OU where the new accounts will be born. Download your FREE bulk import tool.
If you need more comprehensive software, download a free trial of SAM (Server & Application Monitor)
Naturally you have to create or move some accounts into the OU = Cowbridge and make sure they are disabled.
If you are testing a scripts for the second or third time, then you need to Refresh to check that the amendments are working. The secret is to select the OU, then choose Refresh, from the short cut menu. For some strange reason F5 (Function key 5) only works the first time
You may be wondering what range of settings you can use on the UserAccountControl attribute. Here is a list of the most common values for a user object.
512 - Enable Account
514 - Disable account
544 - Account Enabled - Require user to change password at first logon
66048 - Password never expires
262656 - Smart Card Logon Required
I discovered the above values by experimenting with the users' property sheets in Active Directory Users and Computers. What I did was set the check boxes in the Account property tab and then exported the users with CSVDE -f account.csv. In truth, I used the - d switch to filter the records so that I only exported users in the Cowbridge OU.
CSVDE -f account.csv -d "ou=cowbridge,dc=cp,dc=com"
Finally, I examined the UserAccountControl column in the spreadsheet, and compared the values with ticks in checkboxes under the Account tab.
SolarWinds' Orion performance monitor will help you discover what's happening on your network. This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.
What I like best is the way NPM suggests solutions to network problems. Its also has the ability to monitor the health of individual VMware virtual machines. If you are interested in troubleshooting, and creating network maps, then I recommend that you try NPM now.
This is where we put it all together. A combination of last week's script to set user accounts password, with this week's script to enable the accounts. Because I want them to change password at next logon, I set the UserAccountControl to be 544.
' Set AccPwd.vbs
Note 1: intAccValue is now changed to 544.
Note 2: We insert last week's method, objUser.SetPassword.
The idea is if you would like to test yourself by correcting a script with mistakes, then try the following script, and see if you can spot the mistakes. Answers underneath.
' Set AccountControl.vbs
Out Takes - Answers
See More Active Directory VBScripts to Create Users