How to Enable Accounts with userAccountControl
Tutorial for Setting userAccountControl
When a new account is born, especially if you created it with CSVDE, it will be disabled. By resetting the userAccountControl to 512, you can enable any Active Directory account. However, there is another factor, and that is giving the enabled account a password so that its user can logon.
Topics for Setting userAccountControl
Our mission is provide the users with a valid logon name and password. To be successful, we must not only enable the account, but also set a suitable password. What my Example script will do is enable not one account, but enable all accounts in a particular OU. The crucial command userAccountControl = 512.
Because of Windows 2003's increased security, our script may encounter obstacles. For example, the default Domain Group Policy demands complex passwords with at least 8 characters. Indeed, if the Domain policy enforces 8 characters and we try to enable an account with a null password, the result is this error message, 'The server is unwilling to process the request.' Fortunately, we have the answer, we can script a new password at the same time we enable the account. We can even set the accounts so that users must change their password at first logon.
Either, you could logon as an administrator (best), or you could run this script on an XP machine as a non-administrator. I do believe in making life easy, so avoid complications and try Remote Desktop, rather than executing the script from an XP or other client.
Instructions for setting userAccountControl
Sample Script to Set userAccountControl
' UserAccountControl .vbs
Note 1: UserAccountControl needs a numeric value in order to set the account. The two common values for user accounts are: 512 = enable and 514 = disable account. If you are scripting computer accounts substitute a value of 4096. See more on creating computer accounts here.
Note 2: Purely for testing, I suggest setting userAccountControl = 514. Then open up Active Directory Users and Computers at the OU that corresponds to strContainer. What you are looking for is a red X over the account. Naturally, you could enable the accounts by setting the value back to 512 and running the script again. Incidentally, Active Directory Users and Computers does not always refresh with F5, so right-click and select Refresh from the shortcut menu.
Note 3: Do you remember the goal? Our task is to change all accounts in the OU, therefore, observe how VBScript cycles through the "User" .class of objects with the For each... Next, loop.
Import users from a spreadsheet, complete with their mailbox. Just provide a list of the users with the fields in the top row, and save as .csv file. Then launch this FREE utility, match your Exchange fields with AD's attributes, click and import the users. Optionally, you can provide the name of the OU where the new mailboxes will be born.
' ChangePassword .vbs
VBScript Tutorial - Learning Points
Note 1: Study lines 32-36 and examine the three commands needed to get the result we want. While the password method uses .SetPassword, the other two properties, userAccountControl and PwdLastSet, require the .Put method.
Note 2: The optional extra section launches the Active Directory Users and Computers snap-in. My idea is twofold, to show that the script has completed, and also to point you where to check what has happened.
The main purpose of userAccountControl is to enable or disable accounts. For users, a value of 512 enables the account, while a value of 514 disables the account and prevents them logging on. Computers also need a value for userAccountControl, in their case the number is 4096.