Contents for Ezine 83 – Reset Passwords
♣ This Week’s SecretI imagine that this week everyone is on holiday, except for a few poor administrators who are grappling with user accounts for next term’s pupils. Therefore, I dedicate this week’s script to passwords. If it’s just a matter of resetting last terms passwords, I want to save those administrators work. The secret of this week’s script is to set PwdLastSet = 0. Even if you have no need for a password script at this time, I challenge you to examine the script and look for its secret of binding to Active Directory without having to hard code your domain name. Guy Recommends 3 Free Active Directory ToolsSolarWinds have produced three Active Directory add-ons. These free utilities have been approved by Microsoft, and will help to manage your domain by:
Download your FREE Active Directory administration tools. Scenario: You want to reset user accounts to a known password.Firstly, a word about my paranoia. My fear is that one reader will use my script and reset everyone’s password in the entire domain. To prevent such a disaster I have included a line which says OU=nowhere. My point is that unless you, the reader, alter that line VBScript will not change any passwords, never worry it changing everyone’s password. I had another thought about this week’s script. Even if you do not want to rest passwords you could amend the script to reset other properties, for example telephoneNumber. As I have mentioned before, the best tool to research other LDAP fields is ADSI Edit. I emphasise other LDAP fields because for security reasons, Active Directory does not expose the password field even to ADSI Edit. PrerequisitesThis script needs an Active Directory domain. Best would be to logon as administrator at a domain controller. My plan B would be to Remote Desktop to a domain controller. Instructions for Creating a VBScript to change passwords
Example – To Reset All Passwords in a Named OU.This example sets the password to H0l1d@y$, but only in the OU referenced by strContainer. I chose this assortment of characters in case you enforce complex passwords in you domain. Feel free to experiment with simpler passwords if you want to make it easier for the users to logon. Thanks to the strContainer variable it only resets the passwords in one OU, and not the whole domain. ‘ StudentPwd.vbs ‘ ——————————————————–‘ Set objRootDSE = GetObject("LDAP://RootDSE") For each objUser in objOU objUser.Put "userAccountControl", intAccValue WScript.Echo strPassword & " is Password. UserAccountValue = " _ ‘ End of change password example VBScript Note: Running this script can produce an error "server refuses to complete request" and the error was line 51. Nothing looked out of the ordinary in your script or with the OU= variable I had used (replacing your OU=NOWHERE). Then it occurred to me that the password value I was trying to set "password" didn't meet the domain required complexity. I changed it to P@ssw0rd and everything worked perfectly for all 650 users!!! [Extra material kindly sent in by Scott K.] Guy Recommends: Tools4ever’s UMRATired of writing scripts? The User Management Resource Administrator solution by Tools4ever offers an alternative to time-consuming manual processes. It features 100% auto provisioning, Helpdesk Delegation, Connectors to more than 130 systems/applications, Workflow Management, Self Service and many other benefits. Click on the link for more information onUMRA. Learning PointsNote 1:If you are troubleshooting your script, check strContainer = "OU=nowhere, " Note 2: If you test one of the user’s accounts on a server, ensure that user has the right to logon locally. What I do is make them backup operators. Note 3: In order to get UserAccountControl = 544 to work properly, we must add: pwdLastSet = 0. When you set pwdLastSet to zero, it forces users to change their passwords at next logon. Note 4: Try the script without the following two lines. (I use an ‘ [apostrophe] to rem out the lines.) Note 5: Examine the construction: For Each… next. Trace how it loops through the users Note 6: The statement: If objUser.class="user" then.. is designed to filter out users from other objects such as computers. Did you spot the End if? Summary of Resetting the PasswordWhen ‘joiners’ arrive at your organization, or students return for another term, you need a plan to help them manage the first logon. The most efficient way is a VBScript, which sets all the passwords to known value. Password scripts often forget to add PwdLastSet, this is a shame as what you want is to give them a known password then force the users to change their password at next logon. Naturally, to enforce this change you need to set PwdLastSet to zero. See More Active Directory VBScripts for Passwords• User Spreadsheet • Add Users to Groups • Create Users • Free CSV Importer • Ezine 83 Passwords • Ezine 85 LastLogon • Ezine 86 LastLogon • Ezine 122 Passwords • Ezine 128 IUSR Passwords • VBScript change password • Tool Kit • Ezines |