Tutorial for Changing a User Account Password with SetPassword
With VBScript, it is relatively easy to set each user's account to a known password. You can also configure the account so
that once the user authenticates, they must change the known password to a more secure password. This is a popular script for schools and colleges to run at the start of a year; either for new
pupils, or for old lags who have forgotten last term's passwords.
Setting the password may be part of a
bigger plan, for example, to enable the account and force the user to change their password at next logon. My mantra is build scripts gradually, one section at a time. Therefore, once we have mastered the basics in Example 1, we will
investigate how to use SetPassword as part of a more powerful VBScript in Example 2.
Let us suppose that you want to set the user's account password at next logon. The heart of the VBScript is a method called .SetPassword. Applying .SetPassword to
the user object has the same effect as setting the password option manually in Active Directory Users and Computers. (.SetInfo is like pressing the OK button)
Prerequisites for VBScript SetPassword
You need access and a working knowledge of Active Directory Users and Computers. Following my theme of keep it simple, I recommend that you log on as
administrator, perferably at a domain controller. Alternatively, connect to the server with Remote Desktop. If all else fails, you can try these script on an XP machine as a non-administrator, but why introduce extra complications?
Let us start with some easy successes.
Instructions for Changing a User's Password
You should run this VBScript on a Windows Active Directory domain.
Copy and paste the example script below into notepad or a VBScript editor.
Decide whether to change the OU by editing the value for strContainer. Of course you need test users in the OU referenced by strContainer.
Save the file with a .vbs extension, for example: SetPassword .vbs.
Double click SetPassword .vbs and check the Users container for strUser.
Sample Script to Change a User's Passwords
' SetPassword .vbs ' Sample VBScript Change Password in a named OU. ' Author Guy Thomas http://computerperformance.co.uk/ ' Version 2.3 - May 2010 '
-----------------------------------------------' Option Explicit Dim objOU, objUser, objRootDSE Dim strContainer, strDNSDomain, strPassword
' Bind to Active Directory Domain
Set objRootDSE = GetObject("LDAP://RootDSE") strDNSDomain = objRootDSE.Get("DefaultNamingContext")
' -----------------------------------------------' ' Important change OU= to
reflect your domain ' -----------------------------------------------' strContainer = "OU=Accounts, " strPassword = "P@ssw0rd" strContainer = strContainer & strDNSDomain
' Loop
through OU=, setting passwords for all users set objOU =GetObject("LDAP://" & strContainer ) For each objUser in objOU If objUser.class="user" then objUser.SetPassword strPassword objUser.SetInfo
End If Next
WScript.Quit
' End of Example VBScript: SetPassword
Guy Recommends: SolarWinds' Free Bulk Import Tool
Import users from a spreadsheet. Just provide a list of the
users with their fields in the
top row, and save as .csv file. Then launch this FREE utility and match
your fields with AD's
attributes, click and import the users. Optionally, you can
provide the name of the OU where the new accounts will be born.
There are also two bonus tools in the free download, and all 3 have been approved by Microsoft:
Note 1: The header section explains the purpose of the script. Then, I declare three objects, one each for User, OU and DNSDomain.
Note 2:
You probably need to change the strContainer from 'OU=Accounts, " to one of your OUs. Did you notice the comma at the end of this string?
Note 3: One of the most important jobs of
Active Directory VBScripts is to 'bind' to the domain name. My technique avoids having to 'hard code' the domain name in the script. Study how objRootDSE and strDNSDomain combine to extract the
LDAP name. The point is that my technique will work for any domain without having to know the domain name in advance. This is a huge advantage as I have no idea what you domain is called.
Note
4: See how the example derives strContainer from the domain name and strOU.
Note 5:
Trace how the ObjUser manipulate
the password with the special .SetPassword method. What this does is enter the password just as if you had typed it in the Active Directory Users and Computers interface. The .SetInfo method is
the equivalent of you pressing the OK button on the dialog box.
Note 6: From a purely scripting point of view, the neat feature is the way that the example cycles through all the accounts in
the strContainer. VBScript controls this by looping with , For Each .... next.
Note 7: Hardly a script goes by without the need of the If... then end if construction. For this example, we
filter the objects with the, If objUser.Class = "User". The point is that the OU could also contain computers whose passwords we wish to remain unchanged.
Recommended: Solarwinds' Permissions Analyzer - Free Active Directory Tool
I like the
Permissions Monitor because it enables me to see WHO has permissions
to do WHAT at a glance. When you launch this tool it analyzes a users effective NTFS
permissions for a specific file or folder, and takes into account network share
access, then displays the results in a nifty desktop dashboard!
Think of all the frustration that this free SolarWinds utility saves when you are
troubleshooting authorization problems for user's access to a resource.
This script builds on Example 1, so I recommend you check over the above script before tackling this more advanced example.
As you set the account password, there are two
other factors that you may wish to include in the script. If the account is disabled, you may wish to enable it with userAccountControl = 512. In addition to setting the password, perhaps you
want to force the users to change their password at next logon with PwdLastSet =0.
Sample Script to Force Users to Change Password at Next Logon
' SetPasswordAdv.vbs ' Sample VBScript to force a user to change password at next logon ' Author Guy Thomas http://computerperformance.co.uk/ ' Version 1.2 - May 2010
' -----------------------------------------------' Option Explicit Dim objOU, objUser, objRootDSE Dim strContainer, strDNSDomain, strPassword Dim intCounter, intAccValue,
intPwdValue
' Bind to Active Directory Domain Set objRootDSE = GetObject("LDAP://RootDSE") strDNSDomain = objRootDSE.Get("DefaultNamingContext")
'
-----------------------------------------------' ' Important change OU= to reflect your domain ' -----------------------------------------------' strContainer =
"OU=Accounts, " strPassword = "P@ssw0rd" strContainer = strContainer & strDNSDomain
' Here is where we set the value to enable the account ' 512 = Enable, 514 = Disable. intAccValue = 512
' Here we force a change of password at next logon intPwdValue = 0 ' Default is -1
' Loop through OU=, setting passwords for all users set objOU =GetObject("LDAP://" & strContainer ) For
each objUser in objOU If objUser.class="user" then objUser.SetPassword strPassword objUser.Put "userAccountControl",
intAccValue objUser.Put "PwdLastSet", intPwdValue objUser.SetInfo End If Next
Note 1: Observe the two VBScript methods .SetPassword and .Put. Also, see how .SetInfo is rather like pressing the OK button if you were to perform the same
task manually at the Active Directory Users and Computers interface.
Note 2: When testing, I often add WScript.echo commands to confirm what the script has achieved. Incidentally, this is
another reason to declare and apply variables, for example, strContainer and intAccValue.
There
may be more tasks to resetting passwords than you originally thought. By combining these three methods, you get the best possible control: set the actual password, enable the account and then force the
user to change the password at the next logon. Always bear in mind that these scripting commands mimic what you could do manually at the Active Directory Users and Computers snap-in.
If you like this page then please share it with your friends
Windows Management Instrumentation (WMI) is one of the hidden
treasures of Microsoft operating systems.
Fortunately, SolarWinds
have created the
Free WMI Monitor so that you can actually see and understand these gems of
performance information. Take the guess work out of which
WMI counters to use for applications like Microsoft Active Directory,
SQL or Exchange Server.
