Guy’s Scripting Ezine 83 – Reset Passwords

Contents for Ezine 83 – Reset Passwords


This Week’s Secret

I imagine that this week everyone is on holiday, except for a few poor administrators who are grappling with user accounts for next term’s pupils. Therefore, I dedicate this week’s script to passwords.  If it’s just a matter of resetting last terms passwords, I want to save those administrators work.

The secret of this week’s script is to set PwdLastSet = 0.

Even if you have no need for a password script at this time, I challenge you to examine the script and look for its secret of binding to Active Directory without having to hard code your domain name.

Guy Recommends 3 Free Active Directory ToolsDownload Solarwinds Active Directory Administration Tool

SolarWinds have produced three Active Directory add-ons.  These free utilities have been approved by Microsoft, and will help to manage your domain by:

  1. Seeking and zapping unwanted user accounts.
  2. Finding inactive computers.
  3. Bulk-importing new users.  Give this AD utility a try, it’s free!

Download your FREE Active Directory administration tools.

Scenario: You want to reset user accounts to a known password.

Firstly, a word about my paranoia.  My fear is that one reader will use my script and reset everyone’s password in the entire domain.  To prevent such a disaster I have included a line which says OU=nowhere.  My point is that unless you, the reader, alter that line  VBScript will not change any passwords, never worry it changing everyone’s password.

I had another thought about this week’s script.  Even if you do not want to rest passwords you could amend the script to reset other properties, for example telephoneNumber.  As I have mentioned before, the best tool to research other LDAP fields is ADSI Edit.  I emphasise other LDAP fields because for security reasons, Active Directory does not expose the password field even to ADSI Edit. 


This script needs an Active Directory domain.  Best would be to logon as administrator at a domain controller.  My plan B would be to Remote Desktop to a domain controller.

Instructions for Creating a VBScript to change passwords

  1. Decide upon the OU where you want to change passwords, this is vital.  (I choose OU=nowhwere, note the comma.)
  2. Copy and paste the example script below into notepad or use a VBScript editor.
  3. One advantage of a good script editor such as OnScript is that you can see the line numbers.
  4. Save the file with a .vbs extension, for example: StudentPwd.vbs 
  5. Double click StudentPwd.vbs and check the message box.

Example – To Reset All Passwords in a Named OU.

This example sets the password to H0l1d@y$, but only in the OU referenced by strContainer.  I chose this assortment of characters in case you enforce complex passwords in you domain.  Feel free to experiment with simpler passwords if you want to make it easier for the users to logon.  Thanks to the strContainer variable it only resets the passwords in one OU, and not the whole domain.


‘ StudentPwd.vbs
‘ Example VBScript to change a user’s password
‘ Version 2.0 – August 2005
‘ ———————————————————‘
Option Explicit
Dim objOU, objUser, objRootDSE
Dim strContainer, strDNSDomain, strPassword
Dim intCounter, intAccValue, intPwdValue

‘ ——————————————————–‘
‘ Note: Please change OU=nowhere, to reflect your domain
‘ ——————————————————–‘
strContainer = "OU=nowhere, "
strPassword = "H0l1d@y$"
intAccValue = 544
intPwdValue = 0
intCounter = 0
‘ ——————————————————-‘
‘ Makes the user change H0l1d@y$ password at first logon
‘ ——————————————————-‘

Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")
strContainer = strContainer & strDNSDomain
set objOU =GetObject("LDAP://" & strContainer )

For each objUser in objOU
If objUser.class="user" then
objUser.SetPassword strPassword
objUser.Put "pwdLastSet", intPwdValue

objUser.Put "userAccountControl", intAccValue
intCounter = intCounter +1
End if

WScript.Echo strPassword & " is Password. UserAccountValue = " _
& intAccValue & vbCr & intCounter & " accounts changed"

‘ End of change password example VBScript

Note: Running this script can produce an error "server refuses to complete request" and the error was line 51.

Nothing looked out of the ordinary in your script or with the OU= variable I had used (replacing your OU=NOWHERE). Then it occurred to me that the password value I was trying to set "password" didn't meet the domain required complexity. I changed it to P@ssw0rd and everything worked perfectly for all 650 users!!!

[Extra material kindly sent in by Scott K.]

Guy Recommends: Tools4ever’s UMRAUMRA The User Management Resource Administrator

Tired of writing scripts? The User Management Resource Administrator solution by Tools4ever offers an alternative to time-consuming manual processes.

It features 100% auto provisioning, Helpdesk Delegation, Connectors to more than 130 systems/applications, Workflow Management, Self Service and many other benefits. Click on the link for more information onUMRA.

Learning Points

Note 1:If you are troubleshooting your script, check strContainer = "OU=nowhere, "

Note 2: If you test one of the user’s accounts on a server, ensure that user has the right to logon locally.  What I do is make them backup operators.

Note 3: In order to get UserAccountControl = 544 to work properly, we must add: pwdLastSet = 0.  When you set pwdLastSet to zero, it forces users to change their passwords at next logon.

Note 4: Try the script without the following two lines.  (I use an ‘ [apostrophe] to rem out the lines.)
objUser.Put "pwdLastSet", intPwdValue

Note 5: Examine the construction:  For Each… next.  Trace how it loops through the users

Note 6: The statement:  If objUser.class="user" then..  is designed to filter out users from other objects such as computers.  Did you spot the End if?

Summary of Resetting the Password

When ‘joiners’ arrive at your organization, or students return for another term, you need a plan to help them manage the first logon.  The most efficient way is a VBScript, which sets all the passwords to known value.  Password scripts often forget to add PwdLastSet, this is a shame as what you want is to give them a known password then force the users to change their password at next logon.  Naturally, to enforce this change  you need to set PwdLastSet to zero.

See More Active Directory VBScripts for Passwords

• User Spreadsheet  • Add Users to Groups  • Create Users  • Free CSV Importer

Ezine 83 Passwords  • Ezine 85 LastLogon  • Ezine 86 LastLogon   • Ezine 122 Passwords

Ezine 128 IUSR Passwords  • VBScript change password  • Tool Kit  • Ezines