Guy’s Scripting Ezine 122 – Changing Passwords

Guy’s Scripting Ezine 122 – Changing Passwords

N.B. Updates from D.A. and Sean Hook

 ♣

This Week’s Secret

What I can do for you this week is create a script which will reset Active Directory passwords.

Last week I was rude about DontDisplayLastUserName, three readers kindly sent in valid reasons for using this setting to clear the logon dialog box of the last user’s name.  When will Guy learn not to be rude about a setting!

This week I have a request of you, can you help me and the other readers by giving us a command that will ‘walk the Active Directory tree’.  My request is for a VBScript loop that will check not just one OU, but all OUs.  What I am after is the equivalent of the DOS command dir /s where /s says look in all the sub-directories.

Follow up to Guy’s request to: ‘Walk the Active Directory Tree’

I am delighted to say that it does seem possible to write code that will interrogate not one OU, but the entire Active Directory tree.  Here is the next stage of my quest to ‘Walk the Active Directory Tree‘.

D.A kindly sent this script in response to my request.  It looks good and comprehensive.  I will write more about it when I have dissected it more fully.  Meanwhile you can download D.A’s   OUListing

Sean Hook kindly sent this snippet.  The idea is to create an ADO connection.  I have got a similar script to read from Active Directory, but I am yet to persuade it to write values.  The key command is subtree.

Below is a command line I am creating in one of my scripts. You set the value to search for, then the attributes of the object you want, then how to search.  The final value "subtree" is the parameter you specify to LDAP to view all subcontainers.  Example:

oCommand.CommandText = "<LDAP://" &
oRootDSE.get("defaultNamingContext") & _
">;(&(memberOf=" & sGroupName &"));extensionAttribute1,sn,givenName,sAMAccountName;subtree"

This Week’s Mission

Why passwords this week?  The answer is that in my mind’s eye, I see a lot of schools and colleges returning after the summer break.  When their holiday euphoria wears off, administrators face the problem that over the vacation the students have forgotten their passwords.  In addition, they may need to create passwords for the new students, or ‘joiners’ in the case of a corporation.

Therefore our mission is to create a VBScript which will not only reset the password, but also ensure that the users change this temporary password at first logon.  To digress, I once went to a military establishment where the sergeant major had the names and passwords on slips of paper; the privates marched into his office, read their piece of paper, memorised it, then had to eat the slip of paper.  Finally, they made a quick about turn, marched out and logged on at their computers.  I expect you will use a different method to inform the users’ of their passwords!

Last week I was serious about making greater use of the ‘If..then..end if’ logic.  In the case of resetting the passwords we could add extra logic to say, ‘Script, only reset the password if a certain condition is met’.  At its simplest, the logic could say, ‘If this is a user account and not a computer account, then reset the password’. 

Let us assume that you have inherited the situation where all the user accounts are in the Active Directory users container, as opposed to filed in OUs.  Potentially, you could irritate members of staff who don’t need their password reset.  Judicious use of logic will save you getting abuse from those who did not need their password changing.  One example of the logic I recommend is, ‘If Description = First Year then reset the password’.  Another example, ‘If Description is not equal to staff, go ahead and reset the password’.

Perhaps you can see why I would love a command which would ‘walk the active directory tree, and reset every account that matched my criteria.  I say again, if you know of such a command, please share it with me and I will publish the code with a credit to you.

Guy Recommends:  SolarWinds’ Free Bulk Import ToolFree Download Solarwinds Bulk Import Tool

Import users from a spreadsheet.  Just provide a list of the users with their fields in the top row, and save as .csv file.  Then launch this FREE utility and match your fields with AD’s attributes, click and import the users.

Optionally, you can provide the name of the OU where the new accounts will be born. Download your FREE bulk import tool.

If you need more comprehensive software, download a free trial of SAM (Server & Application Monitor)

Example 1 – To Reset the Password

Pre-requisites

You really do need an active directory domain for this VBScript to work.  Either create an OU called students and populate it with a few users, or else change the value of strOU to match your organization.

Instructions

  1. Copy and paste the script below into notepad or get a script editor such as OnScript.
  2. Save the file with .vbs extension e.g. StudentPwd.vbs
  3. Double click your script and check the message box.
  4. Logon as one of the user accounts and check the password and the fact you have to change it at first logon.

‘ StudentPwd.vbs
‘ Example VBScript to change a user’s password
‘ Version 1.2 – August 2006
‘ ———————————————————‘
Option Explicit
Dim objOU, objUser, objRootDSE
Dim strContainer, strDNSDomain, strPassword
Dim intCounter, intAccValue, intPwdValue

‘ ——————————————————–‘
‘ Note: Please change OU=Students, to reflect your domain
‘ ——————————————————–‘
strContainer = "OU=students, "
strPassword = "F@rst0ne"
intAccValue = 544
intPwdValue = 0
intCounter = 0
‘ ——————————————————-‘
‘ Makes the user change F@rst0ne password at first logon
‘ ——————————————————-‘

Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")
strContainer = strContainer & strDNSDomain
set objOU =GetObject("LDAP://" & strContainer )

For each objUser in objOU
If objUser.class="user" then
objUser.SetPassword strPassword
objUser.SetInfo
objUser.Put "pwdLastSet", intPwdValue
objUser.SetInfo

objUser.Put "userAccountControl", intAccValue
objUser.SetInfo
intCounter = intCounter +1
End if
next

WScript.Echo strPassword & " is Password. UserAccountValue = " _
& intAccValue & vbCr & intCounter & " accounts changed"
WScript.Quit

‘ End of change password example VBScript

VBScript Learning Points

Note 1:  .SetInfo is a vital scripting command, the equivalent of pressing the OK button in the dialog box.

Note 2:  userAccountControl also has values of 512 enable and 514 disabled.  In this instance we set it to 544, meaning change password at next logon.

Note 3: To complete the change password at next logon we need to set pwdLastSet = zero

Guy Recommends:  A Free Trial of the Network Performance Monitor (NPM)Review of Orion NPM v11.5 v11.5

SolarWinds’ Orion performance monitor will help you discover what’s happening on your network.  This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.

What I like best is the way NPM suggests solutions to network problems.  Its also has the ability to monitor the health of individual VMware virtual machines.  If you are interested in troubleshooting, and creating network maps, then I recommend that you try NPM now.

Download a free trial of Solarwinds’ Network Performance Monitor

Example 2 – Add ‘If then… End If’ logic

In this example we will add logic.  The underlying idea is that we only change the user’s password if another user.property matches a particular value.  I have selected Description = "Year 1".  It is my greatest joy if you would experiment both with the property – description, and the value – "Year 1".  Naturally you have to make the corresponding adjustments to the values of your user accounts otherwise, when the script runs nothing will happen.  This script also adds an ‘If’ statement to only change user accounts.

‘ LoopPwd.vbs
‘ Example VBScript to change a user’s password
‘ Version 2.3 – August 2006
‘ ———————————————————‘
Option Explicit
Dim objOU, objUser, objRootDSE
Dim strContainer, strDNSDomain, strPassword
Dim intCounter, intAccValue, intPwdValue

‘ ——————————————————–‘
‘ Note: Please change OU=Students, to reflect your domain
‘ ——————————————————–‘
strContainer = "OU=students, "
strPassword = "F@rst0ne"
intAccValue = 544
intPwdValue = 0
intCounter = 0
‘ ——————————————————-‘
‘ Makes the user change F@rst0ne password at first logon
‘ ——————————————————-‘

Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")
strContainer = strContainer & strDNSDomain
set objOU =GetObject("LDAP://" & strContainer )

‘ Note first ‘If Then’ to check it’s a user
‘ Note second ‘If Then’ to check Description = "Year 1"
‘ ——————————————————-‘
For each objUser in objOU
If objUser.class="user" then
  If objUser.Description ="Year 1" then
     objUser.SetPassword strPassword
     objUser.SetInfo
     objUser.Put "pwdLastSet", intPwdValue
     objUser.SetInfo
     objUser.Put "userAccountControl", intAccValue
    objUser.SetInfo
     intCounter = intCounter +1
   End If
End if
next

WScript.Echo strPassword & " is Password. UserAccountValue = " _
& intAccValue & vbCr & intCounter & " accounts changed"
WScript.Quit

‘ End of change password example VBScript

Guy Recommends: Tools4ever’s UMRAUMRA The User Management Resource Administrator

Tired of writing scripts? The User Management Resource Administrator solution by Tools4ever offers an alternative to time-consuming manual processes.

It features 100% auto provisioning, Helpdesk Delegation, Connectors to more than 130 systems/applications, Workflow Management, Self Service and many other benefits. Click on the link for more information onUMRA.

Learning Points

Note 1:  This script uses one of my favourite constructions, If (test) then…(do).. End If.  Moreover, it uses ‘If’ not once but twice.  The first loop filters only user accounts, (as opposed to computer accounts); while the second loop filters users whose description matches "Year 1"

Note 2: 

Guy’s Challenges

Challenge 1: Try different criteria for the second ‘If Then’ loop.  I challenge you to research more useful ldap properties, for example, physicalDeliveryOfficeName, department or location.

Challenge 2: Try different values for userAccountControl, for example 514, which disables the account.

Summary of Changing the Password

Creating a basic script to change the password is straightforward.  You also need a few more commands, such as pwdLastSet to control precisely what happens at first logon.  Going the extra distance and employing ‘If then’ logic makes the script more flexible.

See More Active Directory VBScripts for Passwords

• User Spreadsheet  • Add Users to Groups  • Create Users  • Free CSV Importer

Ezine 83 Passwords  • Ezine 85 LastLogon  • Ezine 86 LastLogon   • Ezine 122 Passwords

Ezine 128 IUSR Passwords  • VBScript change password  • Tool Kit  • Ezines