Guy’s Scripting Ezine 23 – Enabling User Accounts

Contents for Guy’s Scripting Ezine 23 – Enabling User Accounts

Please note:

Since writing this ezine, I have discovered the importance of adding: pwdLastSet to this example script.  In order to force users to change password at next logon, you must include both these properties, UserAccountControl and pwdLastSet in your VBscript.

This Week’s Secret – CSVDE does not set passwords

CSVDE is a wonderful utility for importing users from a spreadsheet into Active Directory.  Unfortunately, you cannot use CSVDE to set passwords.  This has repercussions where you have password Group Policies.  In such cases zero length passwords are not permitted.

To spell out the problem: if your domain account policy means that passwords have to be a minimum of 6 characters, then you cannot import accounts with CSVDE and set them to ‘Enabled’.  Nor can you set them to: ‘User must change password at next logon’.  All that you can do is import the user accounts with CSVDE and create a VBScript to add the passwords and to enable the accounts.

In fact, if you attempt to add a password field to your CSVDE spreadsheet, then import fails with an unfriendly error message. Worse, it seems whenever I try to add a password field to a CSVDE import, the operating system gets so upset by this illegal procedure that I have to start again with a new spreadsheet.

The answer is a VBScript to set the UserAccountControl.

A Script to Enable accounts that have been ‘Disabled’ X

The purpose of this script is to enable accounts so that users can logon to your domain. The situation is that you have just bulk imported users but all the accounts are disabled. You want people to be able to use their new accounts

The key LDAP property is UserAccountControl, what we need to do change the value from 514 to 512.  With a value of 512, the account will be enabled and the users can logon.

Instructions to Enable Active Directory User Accounts

  1. Pre-requisites.  You need either a Windows 2000 or Server 2003 domain controller for this script to work.
  2. Change Line 11 "OU=Cowbridge ," to the name of one of your OUs.  Alternatively, create an OU called Cowbridge.
  3. Please make sure that the OU has users and that their accounts are disabled.  (right-click any account, select (‘Disable Account’)
  4. Copy and paste the script below into notepad.
  5. Save the file with .vbs extension e.g. AccountControl.vbs
  6. Double click and observe the message box
  7. Importance of adding : pwdLastSet

‘ Set AccPwd.vbs
‘ Example VBScript to require users change passwords at next logon
‘ Author Guy Thomas https://computerperformance.co.uk/
‘ Version 2.2 – March 2004
‘ Tweaked by Michael Shatswell February 2010
‘ (added line 26 from Microsoft’s site, matched to script)
‘ —————————————————————-
Option Explicit
Dim objOU, objUser, objRootDSE
Dim strContainer, strLastUser, strDNSDomain, intCounter, intAccValue
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")
strContainer = "OU=ITStaff ,"
intAccValue = 544
strContainer = strContainer & strDNSDomain
set objOU =GetObject("LDAP://" & strContainer )
intCounter = 0
For each objUser in objOU
    If objUser.class="user" then
    objUser.SetPassword "p@$$w0rd"
    objUser.SetInfo
    objUser.Put "userAccountControl", intAccValue
    objUser.SetInfo
    intCounter = intCounter +1
    strLastUser = objUser.Get ("name")
    objuser.Put "pwdLastSet", CLng(0)
    objuser.SetInfo
End if
next
WScript.Echo intCounter & " Users change pwd next logon. Value " _
& intAccValue
WScript.Quit
‘ End of User Account example VBScript

Learning Points

Note 0: Script kindly modified by Michael Shatswell

Note 1: The method here is .Put, for example objUser.Put

Note 2: If objUser.class = "user"   Here we only wish to enable user accounts not computer accounts.

Note 3: intAccValue allows me to echo the value that I have set for UserAccountControl.  This is useful if I wish to experiment with the values below.

Note 4: See Importance of adding : pwdLastSet

Note 5: See more on UserAccountControl

Guy Recommends:  SolarWinds’ Free Bulk Import ToolFree Download Solarwinds Bulk Import Tool

Import users from a spreadsheet.  Just provide a list of the users with their fields in the top row, and save as .csv file.  Then launch this FREE utility and match your fields with AD’s attributes, click and import the users.

Optionally, you can provide the name of the OU where the new accounts will be born. Download your FREE bulk import tool.

If you need more comprehensive software, download a free trial of SAM (Server & Application Monitor)

Troubleshooting

Naturally you have to create or move some accounts into the OU = Cowbridge and make sure they are disabled.

If you are testing a scripts for the second or third time, then you need to Refresh to check that the amendments are working. The secret is to select the OU, then choose Refresh, from the short cut menu. For some strange reason F5 (Function key 5) only works the first time

UserAccountControl Values

You may be wondering what range of settings you can use on the UserAccountControl attribute.  Here is a list of the most common values for a user object.

512 – Enable Account

514 – Disable account

544 – Account Enabled – Require user to change password at first logon

66048 – Password never expires

262656 – Smart Card Logon Required

I discovered the above values by experimenting with the users’ property sheets in Active Directory Users and Computers. What I did was set the check boxes in the Account property tab and then exported the users with CSVDE -f account.csv. In truth, I used the – d switch to filter the records so that I only exported users in the Cowbridge OU.

CSVDE -f account.csv -d "ou=cowbridge,dc=cp,dc=com"

Finally, I examined the UserAccountControl column in the spreadsheet, and compared the values with ticks in checkboxes under the Account tab.

Guy Recommends:  A Free Trial of the Network Performance Monitor (NPM)Review of Orion NPM v11.5 v11.5

SolarWinds’ Orion performance monitor will help you discover what’s happening on your network.  This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.

What I like best is the way NPM suggests solutions to network problems.  Its also has the ability to monitor the health of individual VMware virtual machines.  If you are interested in troubleshooting, and creating network maps, then I recommend that you try NPM now.

Download a free trial of Solarwinds’ Network Performance Monitor

Force users to change password at next logon

This is where we put it all together.  A combination of last week’s script to set user accounts password, with this week’s script to enable the accounts.  Because I want them to change password at next logon, I set the UserAccountControl to be 544.

‘ Set AccPwd.vbs
‘ Example VBScript to require users change passwords at next logon
‘ Author Guy Thomas https://computerperformance.co.uk/
‘ Version 2.2 – March 21st 2004
‘ —————————————————————-
Option Explicit
Dim objOU, objUser, objRootDSE
Dim strContainer, strLastUser, strDNSDomain, intCounter, intAccValue
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")
strContainer = "OU=Cowbridge ,"
intAccValue = 544
strContainer = strContainer & strDNSDomain
set objOU =GetObject("LDAP://" & strContainer )
intCounter = 0
      For each objUser in objOU
          If objUser.class="user" then
          objUser.SetPassword "P@��er2004"
          objUser.SetInfo
          objUser.Put "userAccountControl", intAccValue
          objUser.SetInfo
          intCounter = intCounter +1
          strLastUser = objUser.Get ("name")
          End if
       next
WScript.Echo intCounter & " Users change pwd next logon.  Value " _
& intAccValue
WScript.Quit
‘ End of User Account example VBScript
 

Learning Points

Note 1: intAccValue is now changed to 544.

Note 2: We insert last week’s method, objUser.SetPassword.

See also Windows 8's Password Eye »

Out Takes – Script with mistakes

The idea is if you would like to test yourself by correcting a script with mistakes, then try the following script, and see if you can spot the mistakes.  Answers underneath.

‘ Set AccountControl.vbs
‘ VBScript to enable user accounts in a named OU
‘ Author Guy Thomas https://computerperformance.co.uk/
‘ Version 1.3 – March 21st 2004
‘ —————————————————————–‘
Option Explicit
Dim objOU, objUser, objRootDSE
Dim strContainer, strLastUser, strDNSDomain, intCounter,
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")
strContainer = "OU=Cowbridge ,"
intAccValue = 512
strContainer = strContainer & strDNSDomain
set objOU =GetObject("LDAP://" & strContainer )
intCounter = 0
      For each objUser in objOU
          If objUser.class="user" then
          objUser.Put "userAccountControl", intAccValue
          objUser.SetInfo
          intCounter = intCounter +1
          strLastUser = objUser.Get ("name")
          End if
       next
WScript.Echo intCounter & " Accounts Enabled. Value " _
& intAccValue
WScript.Quit

Out Takes – Answers

  • Dim strContainer, strLastUser, strDNSDomain, intCounter,
    Either there should be no comma at the end of the line, or you should add another variable: intAccValue
  • Dim strContainer, strLastUser, strDNSDomain, intCounter, intAccValue
  • Importance of adding : pwdLastSet

See More Active Directory VBScripts to Create Users

• User Spreadsheet  • Ezines  •LDAP Properties  • ADSIEdit  • Free Solarwinds CSV Import Tool

Ezine 13 Create Users  • Ezine 21 Create Users  • Ezine 23 Enable Accounts  •Ezine 93 ADSIEdit

Ezine 134 Delete Users  • VBScript create users  •PowerShell Get Users  •PowerShell Create Users