Ezine 170 – QAD PowerShell Script to Change Passwords

Ezine 170 – QAD PowerShell Script to Change Passwords

This is the time of year when many organizations have a new tranche of joiners and leavers.  Thus administrators are looking for a script to set passwords in bulk.  Here is PowerShell’s equivalent of a VBScript to control passwords.

Topics for PowerShell Script to Change Passwords


This Week’s Secret

Scripts which modify Active Directory accounts have a dilemma; the problem is summed up by the word ‘scope’.  Let me explain what I mean.  When testing I am grateful that mistakes are confined to the test OU.  However, once a script works beautifully readers want that code to changes accounts in lots of OUs.  I remember that with VBScript it took a great deal of clever scripting to create a sub-routine which drilled down through child OUs.  With PowerShell just two parameters -searchRoot and -searchScope can reproduce the recursive drill-down that it took VBScript ten lines of code to achieve.

This Week’s Mission

This Week’s Mission is to reset passwords for a bunch of users.  The centrepiece of our script is the QADUser object, which you obtain by adding a snapin to your regular PowerShell.  Rather than issuing a big disclaimer that nobody would read, I just want to ask you this question, ‘How much protection from a rogue script do you need?’  A separate test domain would be ideal, however, if you you only have one domain, then I recommend you create a test OU with a handful of users.

My biggest fear is that my reader from hell misunderstands the variable which holds the Active Directory reference.  As a result, their script runs amok and changes zillions of ordinary users’ passwords.  Hence my strong suggestion to begin with a special OU with a name like ‘TEST’.

Pre-requisites and Checklist

a) Download, then install both PowerShell and .Net Framework (from Microsoft’s site)
Note: XP, Vista, and Windows Server 200x each requires a different version of PowerShell.

b) Download the QAD (Quest Active Directory) cmdlets.

c) Before you can run any cmdlets, adjust the script execution policy; type this at the PowerShell command-line:
set-ExecutionPolicy remotesigned 

See more about the PowerShell set-ExecutionPolicy command

d) ‘Wire-up’ the QAD cmdlets with the command:
add-PSSnapin quest.activeroles.admanagement

e) Now your QAD cmdlets are available, and ready for action.

Yet more pre-requisites (sorry)

f) You need access to Active Directory.  To save firewall complications, logon at a domain controller in a test network.  (Virtual PC?)

g) Vital.  You must not only find the variable $OU in my script; but also amend its value to reflect your domain and your Organizational Unit.

Guy Recommends:  SolarWinds’ Free Bulk Import ToolFree Download Solarwinds Bulk Import Tool

Import users from a spreadsheet.  Just provide a list of the users with their fields in the top row, and save as .csv file.  Then launch this FREE utility and match your fields with AD’s attributes, click and import the users.

Optionally, you can provide the name of the OU where the new accounts will be born. Download your FREE bulk import tool.

If you need more comprehensive software, download a free trial of SAM (Server & Application Monitor)

Objective 1 – To Set a Value for a User’s LDAP Field Called ‘Description’

My objective here is two fold.  Firstly, to practice scripting in a relatively harmless fashion, changing a user’s property called ‘Description’ is less intrusive than changing their password.

Secondly, if we add a known description to just a few test users then we have a ‘handle’ to filter Active Directory.  In Objective 2 I want to create a script which says, ‘If Description = xyz, then change the password’.

# PowerShell QAD script to change a user’s description
# Author: Guy Thomas
# Version 1.2 August 2008 tested on PowerShell v 1.0

$OU = "YourDomName/YourOu"
get-QADUser -SearchRoot $OU | `
set-QADUser -Description "Forgotten password" |`
FT FirstName, LastName, description, company, office -auto

Learning Points

Note 1:  Never miss a chance to learn a PowerShell verb; mostly you employ ‘get’, but observe that here we also employ the more potent verb, ‘set’.

Note 2:  Observe how I reinforce the idea of piping (|); the output of ‘set’ becomes the input of FT, which stands for format-Table.

Guy Recommends: The Free IP Address Tracker (IPAT) IP Tracker

Calculating IP Address ranges is a black art, which many network managers solve by creating custom Excel spreadsheets.  IPAT cracks this problem of allocating IP addresses in networks in two ways:

For Mr Organized there is a nifty subnet calculator, you enter the network address and the subnet mask, then IPAT works out the usable addresses and their ranges. 

For Mr Lazy IPAT discovers and then displays the IP addresses of existing computers. Download the Free IP Address Tracker

-searchScope Challenge

To test a second parameter called -searchScope I invite you to create a child OU underneath your test OU.  Create, or move a few test accounts into this child OU.  Now you are ready to experiment with this -searchScope parameter.

Try: get-QADUser -SearchRoot $OU -SearchScope ‘OneLevel’ | `

Other possible values in place of ‘OneLevel’ are, ‘Base’ and ‘SubTree’.

Objective 2 – QAD Script to Change Passwords

Here is a script which sets the password for users in a named OU.  Examine how the variable $OU specifies the precise location of the user accounts in your domain.

Be aware:  This script has two safety catches.  Firstly, it changes only users with a specific value for Description; secondly I use the -whatIf parameter to test the output.  If the script looks as though it will do as you intended, then remove the last line.

# PowerShell QAD script to change users’ passwords
# Author: Guy Thomas
# Version 1.2 August 2008 tested on PowerShell v 1.0

$OU = "YourDomName/YourOu"
get-QADUser -searchRoot $OU -searchScope ‘OneLevel’ | `
Where-Object {$_.description -like "Forgotten password*"} | `
set-QADUser -userPassword "Lapt00p$" `

Note 1:   set-QADUser has different properties from get-QADUser, for example, ‘set’ has a property called -userPassword.

Note 2:  As mentioned previously, this script has a ‘where’ clause which acts an extra check that you are changing the users with a particular description.  Once you understand how this script works, you could remove the ‘where-Object’ clause.

Objective 3 – Changing the Passwords with userMustChangePassword

Beware:  This QAD script has NO safety catch.  If you prefer an element of safety, you could append the -whatIf parameter, as in the script above.

# PowerShell script to change users’ passwords
# Author: Guy Thomas
# Version 1.2 August 2008 tested on PowerShell v 1.0
$OU = "YourDomName/YourOu"

get-QADUser -searchRoot $OU -searchScope ‘OneLevel’ `
Where-Object {$_.description -like "Forgotten password*"} | `
set-QADUser -userPassword "Lapt00p$" -userMustChangePassword 1

Note 1:   userMustChangePassword sounds interesting.  Most of PowerShell’s parameters seem much friendlier than the equivalent pwdLastSet and userAccountControl of VBScript.

Note 2:   Setting userMustChangePassword 1 looks easy and logical enough.  However, I only hit upon this value after failing with = "Yes", True, and "1".  You need just numeric one with no speech marks, and no equals sign.

Note 3:   Observe just how I just appended the -userMustChangePassword parameter.  Did I use a comma?  No.  A semi-colon?  No.  Just plain userMustChangePassword 1.

Warning:  If you are not sure of what’s happening here, I strongly recommend you add -whatIf to the last line.  For those who know what they are doing it is possible to create a script which changes all Active Directory accounts.  The secret is to persuade the script to start at the domainRoot/.  The way you achieve this dangerous task is to shorten this line:
$OU = "YourDomName/YourOu", to
$OU = "YourDomName/".  

The result would be a script which can ‘get’, or ‘set’ all the accounts in your domain.

Guy Recommends: Tools4ever’s UMRAUMRA The User Management Resource Administrator

Tired of writing scripts? The User Management Resource Administrator solution by Tools4ever offers an alternative to time-consuming manual processes.

It features 100% auto provisioning, Helpdesk Delegation, Connectors to more than 130 systems/applications, Workflow Management, Self Service and many other benefits. Click on the link for more information onUMRA.

Summary of PowerShell Change Password

If you have to set, or reset the password for a batch of users it makes sense to develop a PowerShell script.  While it takes not inconsiderable preparation to obtain and install the QAD snapin, it is worth it when it comes to creating scripts which create and modify your Active Directory accounts.

Remember the lifesaver know as ‘whatIf’:  Any script that makes wide-ranging, and potentially dangerous changes to Active Directory benefits from appending -whatIf to your command.

If you like this page then please share it with your friends


See more PowerShell QAD Scripts

PowerShell Home   • Quest QAD   • QADUser   • QADGroup   • QADComputer

Export-CSV   • Import CSV   • QAD Password   • Add-PSSnapin   • Free Import User CSVDE Tool

Get-AdUser -filter   • Windows PowerShell   • Windows PowerShell .Net

Please email me if you have a better example script. Also please report any factual mistakes, grammatical errors or broken links, I will be happy to correct the fault.