Mandy_
asked on
Powershell - Set Passwort depend on group membership or AD - Attributes
hi,
i like to check some attributes in AD and depend on the result, i like
to RESET the password or not
1. AD Attribute CannotChangePassword = false then PW-RESET
2. User member of GROUP "ADG" = false then PW-RESET
3.User has in CSV column action "AdAccount" = true then PW-RESET
Here only the part of the script:
My script still not working. Could anybody help?
appreciate for your help
mandy
i like to check some attributes in AD and depend on the result, i like
to RESET the password or not
1. AD Attribute CannotChangePassword = false then PW-RESET
2. User member of GROUP "ADG" = false then PW-RESET
3.User has in CSV column action "AdAccount" = true then PW-RESET
Here only the part of the script:
{$_.Version -eq "MSXC2010" -and $_.aktion -eq "New"} {} # from CSV
$PW = (Get-ADUser -identity $user.userid -properties * ) | Select-Object CannotChangePassword
If ($PW -like "false") {
$GROUP = (Get-ADUser -identity $user.userid -Properties *).MemberOf -split (",")
If ($group -like "false") {
$NewPassword = $user.userid.Insert(5,"$")
$NewPassword = $newPassword.Insert(3,"C")
$NewPassword = $newPassword.Remove(0, 1)
$newPassword = $newPassword.Insert(0,"Z")
Set-ADAccountPassword -Identity $user.userid -Reset -NewPassword (ConvertTo-SecureString -AsPlainText $newPassword -Force)
} else {
{$_.Version -eq "MSXC2010" -and $_.action -eq "AdAccount"} {
$NewPassword = $user.UserId.Insert(5,"!")
$NewPassword = $newPassword.Insert(3,"k")
$NewPassword = $newPassword.Remove(0, 1)
$newPassword = $newPassword.Insert(0,"P")
Set-ADAccountPassword -Identity $user.UserId -Reset -NewPassword (ConvertTo-SecureString -AsPlainText $newPassword -Force)
}
}My script still not working. Could anybody help?
appreciate for your help
mandy
ASKER
Hi footech, hi ,
thank you for your answer. I recreate the script as you can see below. Unfortunately
i can move to Group or not or set AD "CannotChangePassword" the password
will be reset.
What i exactly want is:
1. If for one or more of the User the Attribute "CannotChangePassword" are set (true)
No PW-RESET ! All other User PW-RESET !
2. If one or more of the User are Member of the Group "ADG" - No PW-RESET
all other user PW-RESET
We come into the script with all user because all user always in the CSV has the value "MSCX2010"
Then we ask
If 1 and 2 are true - NO PW RESET
If only one True - NO PW RESET
If all false - PW-RESET
In the 2nd Part we asked only for the CSV value "ADAccount" in action if this true = PW-RESET
Never has a user with "ADACCOUNT" a MailboxAccount or is group member or has
set the Passwort Attribute "CannotChangePassword"
The last thing for now this pw checker i like to have for all user specific on the screen
like set: User Z000001 Last PW Reset at Samstag, 1. June 2013 09:49:43
appreciate for your help
mandy
thank you for your answer. I recreate the script as you can see below. Unfortunately
i can move to Group or not or set AD "CannotChangePassword" the password
will be reset.
What i exactly want is:
1. If for one or more of the User the Attribute "CannotChangePassword" are set (true)
No PW-RESET ! All other User PW-RESET !
2. If one or more of the User are Member of the Group "ADG" - No PW-RESET
all other user PW-RESET
We come into the script with all user because all user always in the CSV has the value "MSCX2010"
Then we ask
If 1 and 2 are true - NO PW RESET
If only one True - NO PW RESET
If all false - PW-RESET
In the 2nd Part we asked only for the CSV value "ADAccount" in action if this true = PW-RESET
Never has a user with "ADACCOUNT" a MailboxAccount or is group member or has
set the Passwort Attribute "CannotChangePassword"
{$_.Version -eq "MSXC2010" -and $_.aktion -eq "New"} {
$PW = (Get-ADUser -identity $user.userid -properties * ).CannotChangePassword
If ($PW -eq "$true") {
$GROUP = (Get-ADUser -identity $user.userid -Properties *).MemberOf | % { ($_ -split ",")[0] } | Where { $_ -eq "CN=ASG" }
If (!($GROUP)) {
$NewPassword = $user.userid.Insert(5,"$")
$NewPassword = $newPassword.Insert(3,"L")
$NewPassword = $newPassword.Remove(0, 1)
$newPassword = $newPassword.Insert(0,"Z")
Set-ADAccountPassword -Identity $user.userid -Reset -NewPassword (ConvertTo-SecureString -AsPlainText $newPassword -Force)
write-host -ForegroundColor yellow "Password of $($user.UserId) has been set to $newPassword"
$searcher=New-Object DirectoryServices.DirectorySearcher
$searcher.Filter="(&(samaccountname=Z000001))"
$results=$searcher.findone()
[datetime]::fromfiletime($results.properties.pwdlastset[0])
# }
} else {
{$_.Version -eq "MSXC2010" -and $_.aktion -eq "AdAccount"}
$NewPassword = $user.UserId.Insert(5,"$")
$NewPassword = $newPassword.Insert(3,"L")
$NewPassword = $newPassword.Remove(0, 1)
$newPassword = $newPassword.Insert(0,"Z")
Set-ADAccountPassword -Identity $user.UserId -Reset -NewPassword (ConvertTo-SecureString -AsPlainText $newPassword -Force)
write-host -ForegroundColor magenta "Password of $($user.UserId) has been set to $newPassword"
$searcher=New-Object DirectoryServices.DirectorySearcher
$searcher.Filter="(&(samaccountname=Z000001))"
$results=$searcher.findone()
[datetime]::fromfiletime($results.properties.pwdlastset[0])The last thing for now this pw checker i like to have for all user specific on the screen
like set: User Z000001 Last PW Reset at Samstag, 1. June 2013 09:49:43
$searcher=New-Object DirectoryServices.DirectorySearcher
$searcher.Filter="(&(samaccountname=$user.userid))"
$results=$searcher.findone()
[datetime]::fromfiletime($results.properties.pwdlastset[0])appreciate for your help
mandy
ASKER
The 2nd and really last thing i've forgot is to check before if the user has a only web-based
MailAccount. In this case the user are only in databases includes the Word "WEB".
So first we check DATABASE = "WEB" then should move this user to other database
If the User department = "EMC" then move to database DBEMC001 until DBEMC0045
If the department not EMC but database WEB then move to DB0020 until DB0040
All other user passed this part and enable/disable Mailbox and so on
I tried it with this one below but without success
Could you pls give an advice to take the best way to resolve this problem.
Thank you so much
appreciate for your help
mandy
MailAccount. In this case the user are only in databases includes the Word "WEB".
So first we check DATABASE = "WEB" then should move this user to other database
If the User department = "EMC" then move to database DBEMC001 until DBEMC0045
If the department not EMC but database WEB then move to DB0020 until DB0040
All other user passed this part and enable/disable Mailbox and so on
I tried it with this one below but without success
Import-Module ActiveDirectory
ForEach ($User in Import-Csv "c:\import1.csv"){ #$user}
switch($user){
{$_.Version -eq "MSXC2010" -and $_.aktion -eq "new"} {
$DBuser = (Get-ADUser -identity $user.UserID).department
If ($DBuser -like "*EMC*") {
$db = "DBEMC00$("{0:00}" -f (1..43 | Get-random))"
$WEBuser = (Get-Mailbox -Identity $user.userid | Select-Object Database)
If ($Webuser -like "*WEB*") {
move-mailbox -Identity $user.user.id -TargetDatabase $DB -BadItemLimit 15 -PreserveMailboxSizeLimit:$true -Confirm: $false
}
else {
move-mailbox -Identity $user.user.id -TargetDatabase DB0040 -BadItemLimit 15 -PreserveMailboxSizeLimit:$true -Confirm: $false
}
else {
Enable-Mailbox -Identity $user.UserId -Database $db
}
else {
Enable-Mailbox -Identity $user.UserIdCould you pls give an advice to take the best way to resolve this problem.
Thank you so much
appreciate for your help
mandy
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
In answer to post http:#a39212668
This question was started in regards to criteria for resetting passwords. For help with problems moving, or enabling/disabling mailboxes, etc., please start a new question. Otherwise this question becomes too difficult and confusing to follow. Plus, other experts may be able to give you better advice in regards to that problem.
This question was started in regards to criteria for resetting passwords. For help with problems moving, or enabling/disabling mailboxes, etc., please start a new question. Otherwise this question becomes too difficult and confusing to follow. Plus, other experts may be able to give you better advice in regards to that problem.
ASKER
thank you! i moved the other question to new one.
I checked your code and the first part running fine. But if ya like only AdAccount (Password reset in the 2nd part nothing happens.
I create this behind and everything working fine now. What you think about?
I checked your code and the first part running fine. But if ya like only AdAccount (Password reset in the 2nd part nothing happens.
I create this behind and everything working fine now. What you think about?
{$_.Version -eq "MSXC2010" -and $_.aktion -eq "AdAccount"} {
$NewPassword = $user.UserId.Insert(5,"$")
$NewPassword = $newPassword.Insert(3,"L")
$NewPassword = $newPassword.Remove(0, 1)
$newPassword = $newPassword.Insert(0,"z")
Set-ADAccountPassword -Identity $user.UserId -Reset -NewPassword (ConvertTo-SecureString -AsPlainText $newPassword -Force)
write-host -ForegroundColor magenta "Password of $($user.UserId) has been set to $newPassword"
"User {0} Last PW Reset at {1}" -f $user.userid,((Get-ADUser $user.userid -properties PasswordLastSet).PasswordLastSet)
}
# }
#} else {
{$_.Version -eq "MSXC2010" -and $_.aktion -eq "New"} {
$PW = (Get-ADUser -identity $user.userid -properties * ).CannotChangePassword
If ($PW -eq $false) {
$GROUP = (Get-ADUser -identity $user.userid -Properties *).MemberOf | % { ($_ -split ",")[0] } | Where { $_ -eq "CN=AGS" }
If (!($GROUP)) {
$NewPassword = $user.userid.Insert(5,"$")
$NewPassword = $newPassword.Insert(3,"L")
$NewPassword = $newPassword.Remove(0, 1)
$newPassword = $newPassword.Insert(0,"z")
Set-ADAccountPassword -Identity $user.userid -Reset -NewPassword (ConvertTo-SecureString -AsPlainText $newPassword -Force)
write-host -ForegroundColor yellow "Password of $($user.UserId) has been set to $newPassword"
"User {0} Last PW Reset at {1}" -f $user.userid,((Get-ADUser $user.userid -properties PasswordLastSet).PasswordLastSet)
}
}
}
}
}
Looking at some of the other code you've posted, it looks like you may be using a switch statement to check for some of the different conditions instead If statements, which is what I used. In that case the syntax of the code you posted makes sense.
Open in new window
You can change lines 7-8 like below.Open in new window
You already have the portion for #3.