Contents for Ezine 83 – Reset Passwords
I imagine that this week everyone is on holiday, except for a few poor administrators who are grappling with user accounts for next term’s pupils. Therefore, I dedicate this week’s script to passwords. If it’s just a matter of resetting last terms passwords, I want to save those administrators work.
The secret of this week’s script is to set PwdLastSet = 0.
Even if you have no need for a password script at this time, I challenge you to examine the script and look for its secret of binding to Active Directory without having to hard code your domain name.
SolarWinds have produced three Active Directory add-ons. These free utilities have been approved by Microsoft, and will help to manage your domain by:
Firstly, a word about my paranoia. My fear is that one reader will use my script and reset everyone’s password in the entire domain. To prevent such a disaster I have included a line which says OU=nowhere. My point is that unless you, the reader, alter that line VBScript will not change any passwords, never worry it changing everyone’s password.
I had another thought about this week’s script. Even if you do not want to rest passwords you could amend the script to reset other properties, for example telephoneNumber. As I have mentioned before, the best tool to research other LDAP fields is ADSI Edit. I emphasise other LDAP fields because for security reasons, Active Directory does not expose the password field even to ADSI Edit.
This script needs an Active Directory domain. Best would be to logon as administrator at a domain controller. My plan B would be to Remote Desktop to a domain controller.
Instructions for Creating a VBScript to change passwords
This example sets the password to H0l1d@y$, but only in the OU referenced by strContainer. I chose this assortment of characters in case you enforce complex passwords in you domain. Feel free to experiment with simpler passwords if you want to make it easier for the users to logon. Thanks to the strContainer variable it only resets the passwords in one OU, and not the whole domain.
Set objRootDSE = GetObject("LDAP://RootDSE")
For each objUser in objOU
objUser.Put "userAccountControl", intAccValue
WScript.Echo strPassword & " is Password. UserAccountValue = " _
‘ End of change password example VBScript
Note: Running this script can produce an error "server refuses to complete request" and the error was line 51.
Nothing looked out of the ordinary in your script or with the OU= variable I had used (replacing your OU=NOWHERE). Then it occurred to me that the password value I was trying to set "password" didn't meet the domain required complexity. I changed it to P@ssw0rd and everything worked perfectly for all 650 users!!!
[Extra material kindly sent in by Scott K.]
Tired of writing scripts? The User Management Resource Administrator solution by Tools4ever offers an alternative to time-consuming manual processes.
It features 100% auto provisioning, Helpdesk Delegation, Connectors to more than 130 systems/applications, Workflow Management, Self Service and many other benefits. Click on the link for more information onUMRA.
Note 1:If you are troubleshooting your script, check strContainer = "OU=nowhere, "
Note 2: If you test one of the user’s accounts on a server, ensure that user has the right to logon locally. What I do is make them backup operators.
Note 3: In order to get UserAccountControl = 544 to work properly, we must add: pwdLastSet = 0. When you set pwdLastSet to zero, it forces users to change their passwords at next logon.
Note 4: Try the script without the following two lines. (I use an ‘ [apostrophe] to rem out the lines.)
Note 5: Examine the construction: For Each… next. Trace how it loops through the users
Note 6: The statement: If objUser.class="user" then.. is designed to filter out users from other objects such as computers. Did you spot the End if?
When ‘joiners’ arrive at your organization, or students return for another term, you need a plan to help them manage the first logon. The most efficient way is a VBScript, which sets all the passwords to known value. Password scripts often forget to add PwdLastSet, this is a shame as what you want is to give them a known password then force the users to change their password at next logon. Naturally, to enforce this change you need to set PwdLastSet to zero.
See More Active Directory VBScripts for Passwords