Contents for Guy’s Scripting Ezine 23 – Enabling User Accounts
- This Week’s Secret
- Script to Enable accounts that have been ‘Disabled’ X
- Force users to change password at next logon
- Out Takes and Answers
- See more on UserAccountControl
Please note:
Since writing this ezine, I have discovered the importance of adding: pwdLastSet to this example script. In order to force users to change password at next logon, you must include both these properties, UserAccountControl and pwdLastSet in your VBscript.
- Importance of adding : pwdLastSet
- Updates: Explanation of UserAccountControl
This Week’s Secret – CSVDE does not set passwords
CSVDE is a wonderful utility for importing users from a spreadsheet into Active Directory. Unfortunately, you cannot use CSVDE to set passwords. This has repercussions where you have password Group Policies. In such cases zero length passwords are not permitted.
To spell out the problem: if your domain account policy means that passwords have to be a minimum of 6 characters, then you cannot import accounts with CSVDE and set them to ‘Enabled’. Nor can you set them to: ‘User must change password at next logon’. All that you can do is import the user accounts with CSVDE and create a VBScript to add the passwords and to enable the accounts.
In fact, if you attempt to add a password field to your CSVDE spreadsheet, then import fails with an unfriendly error message. Worse, it seems whenever I try to add a password field to a CSVDE import, the operating system gets so upset by this illegal procedure that I have to start again with a new spreadsheet.
The answer is a VBScript to set the UserAccountControl.
A Script to Enable accounts that have been ‘Disabled’ X
The purpose of this script is to enable accounts so that users can logon to your domain. The situation is that you have just bulk imported users but all the accounts are disabled. You want people to be able to use their new accounts
The key LDAP property is UserAccountControl, what we need to do change the value from 514 to 512. With a value of 512, the account will be enabled and the users can logon.
Instructions to Enable Active Directory User Accounts
- Pre-requisites. You need either a Windows 2000 or Server 2003 domain controller for this script to work.
- Change Line 11 "OU=Cowbridge ," to the name of one of your OUs. Alternatively, create an OU called Cowbridge.
- Please make sure that the OU has users and that their accounts are disabled. (right-click any account, select (‘Disable Account’)
- Copy and paste the script below into notepad.
- Save the file with .vbs extension e.g. AccountControl.vbs
- Double click and observe the message box
- Importance of adding : pwdLastSet
‘ Set AccPwd.vbs
‘ Example VBScript to require users change passwords at next logon
‘ Author Guy Thomas https://computerperformance.co.uk/
‘ Version 2.2 – March 2004
‘ Tweaked by Michael Shatswell February 2010
‘ (added line 26 from Microsoft’s site, matched to script)
‘ —————————————————————-
Option Explicit
Dim objOU, objUser, objRootDSE
Dim strContainer, strLastUser, strDNSDomain, intCounter, intAccValue
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")
strContainer = "OU=ITStaff ,"
intAccValue = 544
strContainer = strContainer & strDNSDomain
set objOU =GetObject("LDAP://" & strContainer )
intCounter = 0
For each objUser in objOU
If objUser.class="user" then
objUser.SetPassword "p@$$w0rd"
objUser.SetInfo
objUser.Put "userAccountControl", intAccValue
objUser.SetInfo
intCounter = intCounter +1
strLastUser = objUser.Get ("name")
objuser.Put "pwdLastSet", CLng(0)
objuser.SetInfo
End if
next
WScript.Echo intCounter & " Users change pwd next logon. Value " _
& intAccValue
WScript.Quit
‘ End of User Account example VBScript
Learning Points
Note 0: Script kindly modified by Michael Shatswell
Note 1: The method here is .Put, for example objUser.Put
Note 2: If objUser.class = "user" Here we only wish to enable user accounts not computer accounts.
Note 3: intAccValue allows me to echo the value that I have set for UserAccountControl. This is useful if I wish to experiment with the values below.
Note 4: See Importance of adding : pwdLastSet
Note 5: See more on UserAccountControl
Guy Recommends: SolarWinds’ Free Bulk Import Tool
Import users from a spreadsheet. Just provide a list of the users with their fields in the top row, and save as .csv file. Then launch this FREE utility and match your fields with AD’s attributes, click and import the users.
Optionally, you can provide the name of the OU where the new accounts will be born. Download your FREE bulk import tool.
If you need more comprehensive software, download a free trial of SAM (Server & Application Monitor)
Troubleshooting
Naturally you have to create or move some accounts into the OU = Cowbridge and make sure they are disabled.
If you are testing a scripts for the second or third time, then you need to Refresh to check that the amendments are working. The secret is to select the OU, then choose Refresh, from the short cut menu. For some strange reason F5 (Function key 5) only works the first time
UserAccountControl Values
You may be wondering what range of settings you can use on the UserAccountControl attribute. Here is a list of the most common values for a user object.
512 – Enable Account
514 – Disable account
544 – Account Enabled – Require user to change password at first logon
66048 – Password never expires
262656 – Smart Card Logon Required
I discovered the above values by experimenting with the users’ property sheets in Active Directory Users and Computers. What I did was set the check boxes in the Account property tab and then exported the users with CSVDE -f account.csv. In truth, I used the – d switch to filter the records so that I only exported users in the Cowbridge OU.
CSVDE -f account.csv -d "ou=cowbridge,dc=cp,dc=com"
Finally, I examined the UserAccountControl column in the spreadsheet, and compared the values with ticks in checkboxes under the Account tab.
Guy Recommends: A Free Trial of the Network Performance Monitor (NPM) v11.5
SolarWinds’ Orion performance monitor will help you discover what’s happening on your network. This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.
What I like best is the way NPM suggests solutions to network problems. Its also has the ability to monitor the health of individual VMware virtual machines. If you are interested in troubleshooting, and creating network maps, then I recommend that you try NPM now.
Download a free trial of Solarwinds’ Network Performance Monitor
Force users to change password at next logon
This is where we put it all together. A combination of last week’s script to set user accounts password, with this week’s script to enable the accounts. Because I want them to change password at next logon, I set the UserAccountControl to be 544.
‘ Set AccPwd.vbs
‘ Example VBScript to require users change passwords at next logon
‘ Author Guy Thomas https://computerperformance.co.uk/
‘ Version 2.2 – March 21st 2004
‘ —————————————————————-
Option Explicit
Dim objOU, objUser, objRootDSE
Dim strContainer, strLastUser, strDNSDomain, intCounter, intAccValue
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")
strContainer = "OU=Cowbridge ,"
intAccValue = 544
strContainer = strContainer & strDNSDomain
set objOU =GetObject("LDAP://" & strContainer )
intCounter = 0
For each objUser in objOU
If objUser.class="user" then
objUser.SetPassword "P@��er2004"
objUser.SetInfo
objUser.Put "userAccountControl", intAccValue
objUser.SetInfo
intCounter = intCounter +1
strLastUser = objUser.Get ("name")
End if
next
WScript.Echo intCounter & " Users change pwd next logon. Value " _
& intAccValue
WScript.Quit
‘ End of User Account example VBScript
Learning Points
Note 1: intAccValue is now changed to 544.
Note 2: We insert last week’s method, objUser.SetPassword.
See also Windows 8's Password Eye »
Out Takes – Script with mistakes
The idea is if you would like to test yourself by correcting a script with mistakes, then try the following script, and see if you can spot the mistakes. Answers underneath.
‘ Set AccountControl.vbs
‘ VBScript to enable user accounts in a named OU
‘ Author Guy Thomas https://computerperformance.co.uk/
‘ Version 1.3 – March 21st 2004
‘ —————————————————————–‘
Option Explicit
Dim objOU, objUser, objRootDSE
Dim strContainer, strLastUser, strDNSDomain, intCounter,
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")
strContainer = "OU=Cowbridge ,"
intAccValue = 512
strContainer = strContainer & strDNSDomain
set objOU =GetObject("LDAP://" & strContainer )
intCounter = 0
For each objUser in objOU
If objUser.class="user" then
objUser.Put "userAccountControl", intAccValue
objUser.SetInfo
intCounter = intCounter +1
strLastUser = objUser.Get ("name")
End if
next
WScript.Echo intCounter & " Accounts Enabled. Value " _
& intAccValue
WScript.Quit
Out Takes – Answers
- Dim strContainer, strLastUser, strDNSDomain, intCounter,
Either there should be no comma at the end of the line, or you should add another variable: intAccValue - Dim strContainer, strLastUser, strDNSDomain, intCounter, intAccValue
- Importance of adding : pwdLastSet
See More Active Directory VBScripts to Create Users
• User Spreadsheet • Ezines •LDAP Properties • ADSIEdit • Free Solarwinds CSV Import Tool
• Ezine 13 Create Users • Ezine 21 Create Users • Ezine 23 Enable Accounts •Ezine 93 ADSIEdit
• Ezine 134 Delete Users • VBScript create users •PowerShell Get Users •PowerShell Create Users