July 4, 2008 07:22pm pdt

1. KCTS 668,361
2. LauraEHu... 406,044
3. Chris-Dent 250,701
4. tigermatt 237,352
5. Jay_Jay70 192,997
6. oBdA 182,045
7. toniur 131,542
8. martin_b... 117,501
9. ChiefIT 105,182
10. henjoh09 104,381
11. Netman66 101,550
12. ryansoto 96,494
13. RobSampson 92,095
14. mattee76 89,530
15. Sembee 89,144

1. KCTS 1,441,434
2. LauraEHu... 1,060,029
3. Jay_Jay70 557,820
4. Chris-Dent 473,299
5. oBdA 446,499
6. toniur 442,680
7. Sembee 384,223
8. Netman66 339,408
9. tigermatt 332,283
10. leew 233,348
11. Pber 185,760
12. kamalgopi 183,846
13. TechSoEasy 182,330
14. aissim 163,146
15. strongline 154,115

01.20.2008 at 02:44PM PST, ID: 23097149

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

8.4

Script to unlock user accounts

Zones: Active Directory, Microsoft Server, VB Script

Tags: Microsoft, Server 2003, Active Directory 2003, scripting

We are looking to push some admin functions out to the edge to help lighten the load on the helpdesk/IS department. (Currently 3 people in the department supporting roughly 90 employees and 45 servers.)

What we would like to do is create a webpage that runs a script allowing managers to unlock windows accounts for their staff. The key components we need to capture (for security and auditing purposes) is to 1: log the unlock event to a SQL server (MSDE, Access, or SQL, it doesn't matter) the log needs to have the account unlocked, who unlocked it, and the terminal it came from. 2: We need it to send the IS department an email as soon as the attempt is made with the same information in the log. 3: Have it write an event to the security event log on the DC and 4: We need to restrict it so that only people in a given NTFS group, or OU can access the page and run the script.

My concerns with this are, how much of a security risk is it to open this up to non-IS staff? While it will help staff get unlocked quicker should the IS department be unavailable, I am not 100% convinced it is a sound decision.

Is anyone else doing this? AND, since I am admittedly not a strong programmer, I need some help getting pointed in the right direction on this, ensuring that the code is secure. I have tried to get this to work with powershell scripts, but haven't been successful.

Start your free trial to view this solution

Question Stats

Zone: OS

Question Asked By: COSMTARFCU

Solution Provided By: RobSampson

Participating Experts: 4

Solution Grade: A

Translate:

Loading Advertisement...

Microsoft

Internet Protocols
Applications

Development
OS

Hardware
Windows Security

Apple

Operating Systems
Hardware

Programming
Networking

Software

Internet

Search Engines
File Sharing
WebTrends / Stats
Spy / Ad Blockers

Web Browsers
New Net Users
Web Development
Chat / IM

Anti Spam
Web Servers
Anti-Virus
Email Clients

Gamers

Tips
Online / MMORPG
Puzzle
Emulators

Action / Adventure
Role Playing
Consoles
Game Programming

Strategy
Sports
Misc
Computer Games

Digital Living

Hardware
New Net Users
New Users

Software
Digital Music
Gaming World

Home Security
Apple
Networking Hardware

Virus & Spyware

Vulnerabilities
IDS
Encryption
Anti-Virus

Operating Systems Security
Software Firewalls
WebApplications
Cell Phones

Operating Systems
Internet
Hardware Firewalls

Hardware

Handhelds / PDAs
Displays / Monitors
Components
Networking Hardware

Peripherals
Laptops/Notebooks
Storage
Servers

Desktops
New Users
Misc
Apple

Software

System Utilities
Industry Specific
Network Management
Photos / Graphics
Page Layout
VMWare
Misc
Web Development

OS
CYGWIN
Voice Recognition
Message Queue
Quality Assurance
Security
Firewalls
MultiMedia Applications

Development
Database
Office / Productivity
Business Management
OS/2 Apps
Server Software
Internet / Email

ITPro

OS
Storage
Encryption
Operating Systems Security
Apple Hardware
Laptops & Notebooks
Servers
Networking Hardware
Peripherals

Devices
Displays / Monitors
WebTrends / Stats
Search Engines
Firewalls
WebApplications
IDS
Vulnerabilities
Email Clients

File Sharing
Spy / Ad Blockers
Web Browsers
Web Servers
Networking
Anti-Virus
Chat / IM
Anti Spam

Developer

Web Servers
Web Browsers
Game Programming
Dev Tools
Industry Specific
Office / Productivity

Database
CYGWIN
Web Development
Search Engines
File Sharing
WebTrends / Stats

Programming
Content Management
Application Servers
Protocols

Storage

Removable Backup Media
Storage Technology
Servers

Grid
Remote Access
Backup / Restore

Misc
Hard Drives

Miscellaneous
Security
Development
Linux
VMWare

MainFrame OS
Unix
Apple
OS / 2
AS / 400

BeOS
Microsoft
VMS / OpenVMS

Database

Oracle
Miscellaneous
MySQL
Software
Sybase
Contact Management
PostgreSQL
Data Manipulation
Clarion
InterSystems Cache

Siebel
MUMPS
OLAP
SQLBase
SAS
GIS & GPS
4GL
Berkeley DB
DB2
Informix

Interbase / Firebird
FoxPro
Reporting
LDAP
Filemaker Pro
MS SQL Server
dBase
MS Access

Security

Misc
Web Browsers
Software Firewalls
Operating Systems Security
File Sharing

Spy / Ad Blockers
Vulnerabilities
WebApplications
IDS
Anti-Virus

Encryption
Anti Spam
Email Clients
VPN
Chat / IM

Programming

Editors IDEs
Installation
Handhelds / PDAs
Multimedia Programming
System / Kernel

Algorithms
Game
Signal Processing
Project Management
Open Source

Database
Misc
Languages
Processor Platforms
Theory

Web Development

Scripting
Blogs
Web Servers
Software
Search Engines
Web Graphics
Images

Internet Marketing
Images and Photos
Components
Document Imaging
Web Languages/Standards
Illustration
WebApplications

Fonts
WebTrends / Stats
Authoring
Digital Camera Software
Miscellaneous

Networking

Protocols
Apple Networking
Network Management
Message Queue
Application Servers
Content Management
File Servers
Email Servers
Misc
Java Editors & IDEs

Wireless
Networking Hardware
Backup / Restore
System Utilities
ISPs & Hosting
Web Servers
Storage Technology
Removable Backup Media
Servers
Broadband

Grid
OS / 2
Novell Netware
Unix Networking
Windows Networking
Security
Telecommunications
Operating Systems
Linux Networking

Other

Community Advisor
Lounge
Community Support
New Net Users

Philosophy / Religion
Math / Science
Miscellaneous
URLs

Expert Lounge
Politics
Puzzles / Riddles

Community Support

Suggestions
New to EE
New Topics
Community Advisor

CleanUp
Announcements
General

Feedback
Input
EE Bugs

01.20.2008 at 02:52PM PST, ID: 20702805

Rank: Genius

KCTS:

The simplest and most secure way to do this is by delegation. Group the users into OUs and then use the delegation of control wizard to delegate the resetting of passwords to selected users (actually is better to delegate to a group and then put the authourised user(s) into that group - even it its only one user at the moment- it makes it simple to add/revoke users).

http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/AdminTips/Miscellaneous/UsingtheDelegationofControlWizardStep-by-step.html

Once you have delegated permissions with the wizard you can install the Adminpak.msi tool onto the users workstations and to make life and for the user, create a taskpad for the purpose.
http://www.petri.co.il/create_taskpads_for_ad_operations.htm

If tou use aditiond properly then all useage of the privilage will be recorded in the security log.

01.20.2008 at 02:56PM PST, ID: 20702846

Rank: Genius

KCTS:

Sorry I talked about resettin passwords above - but unlocking accounts is essentially the same process.

01.20.2008 at 03:00PM PST, ID: 20702853

lamaslany:

Create a group in AD and delegate write access in AD to the lockoutTime property. Add the users you want to be able to unlock accounts to this group.

This isn't a great security issue as all they are able to do is unlock the account. They cannot edit any details or enable a disabled account so the worse they can do is facilitate a brute-force attack on a password. Of course you'll have a log of the fact that they keep unlocking the account and it'll still drastically reduce the efficiency of a brute force password attack.

01.20.2008 at 03:03PM PST, ID: 20702858

lamaslany:

Oops - I should point out you can restrict the ability to unlock accounts to a particular OU. And of course they will need to give them read access to the lockoutTime property too. :)

01.20.2008 at 03:44PM PST, ID: 20702987

Rank: Master

and235100:

Example script:
http://www.enterpriseitplanet.com/resources/scripts_win/article.php/3083311

01.20.2008 at 05:04PM PST, ID: 20703256

Rank: Genius

RobSampson:

Hi, see if this HTA can work for you. Copy the text into Notepad, save it as a file with a HTA extension, and see if it works.

So far it doesn't check group membership, but as has been suggested, your managers can go in a specific security group, then the HTA can check if the user running it is in that group, and they can search for a user.

It also doesn't write any logs at the moment, but that can be done.

<head>
<title>Unlock User Accounts</title>
<HTA:APPLICATION
APPLICATIONNAME="Unlock User Accounts"
BORDER="thin"
SCROLL="no"
SINGLEINSTANCE="yes"
WINDOWSTATE="normal"
>
</head>

<script language="VBScript">
Sub Window_Onload
      btn_UnlockAccount.Disabled = True
      Set objADSysInfo = CreateObject("ADSystemInfo")
      Set objManager = GetObject("LDAP://" & objADSysInfo.Username)
      span_manager.InnerHTML = "Hello " & objManager.DisplayName
      span_userdetails.InnerHTML = "<br><br>"
End Sub

Sub Find_Account
      If Trim(txt_username.Value) <> "" Then
            strUserADsPath = Get_LDAP_User_Properties("user", "samAccountName", Trim(txt_username.Value), "adsPath")
            If InStr(strUserADsPath, "LDAP://") > 0 Then
                  Set objUser = GetObject(strUserADsPath)
                  If objUser.isAccountLocked = True Then
                        span_userdetails.InnerHTML = objUser.DistinguishedName & "<br>Account locked out."
                        btn_unlockaccount.disabled = False
                  Else
                        span_userdetails.InnerHTML = objUser.DistinguishedName & "<br>Account is not locked out."
                        btn_unlockaccount.disabled = True
                  End If
            Else
                  span_userdetails.InnerHTML = Trim(txt_username.Value) & " not found.<br><br>"
            End If
      Else
            MsgBox "Please enter a username to search for."
            txt_username.Focus
      End If
End Sub

Sub Unlock_Account
      Set objUser = GetObject("LDAP://" & Split(LCase(span_userdetails.InnerHTML), "<br>")(0))
      objUser.isAccountLocked = False
      objUser.SetInfo
      If objUser.isAccountLocked = True Then
            span_userdetails.InnerHTML = objUser.DistinguishedName & "<br>Account locked out."
            btn_unlockaccount.disabled = False
      Else
            span_userdetails.InnerHTML = objUser.DistinguishedName & "<br>Account is not locked out."
            btn_unlockaccount.disabled = True
      End If
End Sub

Function Get_LDAP_User_Properties(strObjectType, strSearchField, strObjectToGet, strCommaDelimProps)

' This is a custom function that connects to the Active Directory, and returns the specific
' Active Directory attribute value, of a specific Object.
' strObjectType: usually "User" or "Computer"
' strSearchField: the field by which to seach the AD by. This acts like an SQL Query's WHERE clause.
'                        It filters the results by the value of strObjectToGet
' strObjectToGet: the value by which the results are filtered by, according the strSearchField.
'                        For example, if you are searching based on the user account name, strSearchField
'                        would be "samAccountName", and strObjectToGet would be that speicific account name,
'                        such as "jsmith". This equates to "WHERE 'samAccountName' = 'jsmith'"
'      strCommaDelimProps: the field from the object to actually return. For example, if you wanted
'                        the home folder path, as defined by the AD, for a specific user, this would be
'                        "homeDirectory". If you want to return the ADsPath so that you can bind to that
'                        user and get your own parameters from them, then use "ADsPath" as a return string,
'                        then bind to the user: Set objUser = GetObject("LDAP://" & strReturnADsPath)

' Now we're checking if the user account passed may have a domain already specified,
' in which case we connect to that domain in AD, instead of the default one.
If InStr(strObjectToGet, "\") > 0 Then
arrGroupBits = Split(strObjectToGet, "\")
strDC = arrGroupBits(0)
strDNSDomain = strDC & "/" & "DC=" & Replace(Mid(strDC, InStr(strDC, ".") + 1), ".", ",DC=")
strObjectToGet = arrGroupBits(1)
Else
' Otherwise we just connect to the default domain
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")
End If

strBase = "<LDAP://" & strDNSDomain & ">"
' Setup ADO objects.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
adoCommand.ActiveConnection = adoConnection

' Filter on user objects.
'strFilter = "(&(objectCategory=person)(objectClass=user))"
strFilter = "(&(objectClass=" & strObjectType & ")(" & strSearchField & "=" & strObjectToGet & "))"

' Comma delimited list of attribute values to retrieve.
strAttributes = strCommaDelimProps
arrProperties = Split(strCommaDelimProps, ",")

' Construct the LDAP syntax query.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
adoCommand.CommandText = strQuery
' Define the maximum records to return
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False

' Run the query.
Set adoRecordset = adoCommand.Execute
' Enumerate the resulting recordset.
strReturnVal = ""
Do Until adoRecordset.EOF
' Retrieve values and display.
For intCount = LBound(arrProperties) To UBound(arrProperties)
If strReturnVal = "" Then
strReturnVal = adoRecordset.Fields(intCount).Value
Else
strReturnVal = strReturnVal & VbCrLf & adoRecordset.Fields(intCount).Value
End If
Next
' Move to the next record in the recordset.
adoRecordset.MoveNext
Loop

' Clean up.
adoRecordset.Close
adoConnection.Close
Get_LDAP_User_Properties = strReturnVal

End Function
</script>

<body STYLE="font:14 pt arial; color:white;filter:progid:DXImageTransform.Microsoft.Gradient
(GradientType=1, StartColorStr='#000033', EndColorStr='#0000FF')">
      <table width='80%' height = '100%' align='center' border='0'>
            <tr>
                  <td align="center">
                        <h2>Unlock User Accounts</h2>
                  </td>
            </tr>
            <tr>
                  <td align="center">
                        <span id="span_manager"></span>
                  </td>
            </tr>
            <tr>
                  <td align="center">
                        Enter the user's login name to unlock:
                  </td>
            </tr
            <tr>
                  <td align="center">
                        <input type="text" name="txt_username" maxlength="15" size="16">&nbsp&nbsp&nbsp
                        <input type="button" value="Find Account" name="btn_findaccount" onClick="vbs:Find_Account">
                  </td>
            </tr>
            <tr>
                  <td align="center">
                        <br><span id="span_userdetails"></span><br>
                  </td>
            </tr>
            <tr>
                  <td align="center">
                        <input type="button" value="Unlock Account" name="btn_unlockaccount" onClick="vbs:Unlock_Account">
                  </td>
            </tr>
      </table>
</body>

Regards,

Rob.

Accepted Solution

RobSampson

01.22.2008 at 02:12PM PST, ID: 20719000

Sure, no worries. Thanks for the grade.

Regards,

Rob.

20080236-EE-VQP-29 / EE_QW_2_20070628