AD Management

Irwin W.There are a 1000 ways to skin the technology cat.
CERTIFIED EXPERT
Published:
I consult and manage a number of small businesses with no IT staff and staff who could do some serious damage if they were given the ADUC interface.  Sure, I can delegate rights and still give access to the ADUC interface but truly believe that less is best.  

You may already know about these command-line tools.  All I have done is to place them into .cmd scripts, and since the environments have terminal servers, I created .rdp files so all they have to do is launch the scripts and get to the tools they need for some basic day to day user management.

The way this works:
  1. The scripts below will need to be placed into a directory that is accessible by your admins.  I used c:\AD Scripts.
  2. I then configured Remote Apps and created a .RDP file and shared with my local power users.
  3. The next step is to use the AD delegation wizard and provide permissions to allow password changed by specific users.
I hope this helps anyone who consults and supports small businesses as I do.

The main user management script copy this into a file named usermgmt.cmd:
  • This script has three menu items; Lock AD Account, Unlock AD Account and Change AD password.
  • At line four, you can add information to for IT support such as your email address or telephone number.
 
@echo off
                      CLS
                      :MENU
                      ECHO.
                      ECHO ...............................................
                      ECHO ..Please select an option
                      ECHO ..for any questions please send an email to < place your support contact info here >
                      ECHO ...............................................
                      ECHO..
                      ECHO 1 - Lock Active Directory Account
                      ECHO 2 - Unlock Active Directory Account
                      ECHO 3 - Change Active Directory Password
                      ECHO 4 - Exit User Management
                      ECHO..
                      ECHO..
                      SET /P M=Type 1, 2, 3 then press ENTER:
                      IF %M%==1 GOTO LockAcct
                      IF %M%==2 GOTO UnlockAcct
                      IF %M%==3 GOTO ChangePwd
                      IF %M%==4 GOTO eof
                      
                      :LockAcct
                      "C:\AD Scripts\lockacct.cmd"
                      :UnlockAcct
                      "C:\AD Scripts\unlockacct.cmd"
                      :ChangePwd
                      "C:\AD Scripts\changepwd.cmd"
                      
                      :end

Open in new window



The Change Password script:

  • Copy this into a file named changepwd.cmd
  • This script will all your power users be able to change AD password.  In the current script, it will prompt for username, domain name and password.
  • If a single domain is being managed, you can rem out the section for domain-name.  You will also have to set a domain name at line 35 from %domain-name% to
@echo off
                      
                      REM Prompt for username
                      :uname
                      
                      REM If username is blank go to Error prompt.  If username is entered prompt for domain name
                      SET uname=
                      SET /P uname=Please enter username: 
                      IF "%uname%"=="" (goto uNameError) else (goto domain-name)
                      
                      REM Prompt for domain name
                      :domain-name
                      
                      REM If domain name is blank go to Error prompt.  If domain name is entered prompt for password
                      SET uname=
                      SET /P domain-name=Please enter domain name: 
                      IF "%domain-name%"=="" (goto domainError) else (goto password)
                      
                      REM prompt for password
                      :password
                      
                      REM this will mask password that is being entered
                      set "psCommand=powershell -Command "$pword = read-host 'Enter Password' -AsSecureString ; ^
                          $BSTR=[System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($pword); ^
                              [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)""
                      set passwd=
                      for /f "usebackq delims=" %%p in (`%psCommand%`) do set passwd=%%p
                      IF "%passwd%"=="" (goto passwdError) else (goto rasdial)
                      
                      REM If password is blank go to password Error prompt.  If password is entered start dialing VPN connection
                      REM SET /P passwd=Please enter your password:
                      REM IF "%passwd%"=="y" (goto passwdError) else (goto changePass)
                      
                      :changePass
                      net user %uname% %password% /%domain-name% /Active:Yes /logonpasswordchg:yes
                      goto end
                      
                      REM Username is Blank Error MEssage
                      :uNameError
                      ECHO You did not enter a username.
                      SET unameretry=
                      SET /P unameretry=Retry? (y, then enter or press enter to exit):
                      IF /i "%unameretry%"=="y" (goto uname) else (goto end)
                      
                      REM Domain name is Blank Error MEssage
                      :domainError
                      ECHO You did not enter a domain name.
                      SET domainNameretry=
                      SET /P domainNameRetry=Retry? (y, then enter or press enter to exit):
                      IF /i "%domainNameRetry%"=="y" (goto domain-name) else (goto end)
                      
                      REM Password is Blank Error Message
                      :passwdError
                      ECHO You did not enter a password.
                      SET passRetry=
                      SET /P passRetry=Retry? (y, then enter or press enter to exit):
                      IF /i "%passRetry%"=="y" (goto password) else (goto end)
                      
                      :end
                      "C:\AD Scripts\usermgmt.cmd"

Open in new window


Lock Account:

  • Copy this into a file named lock.acct.cmd
  • This script will allow you to lock a user account from access
  • In the current script, it will prompt for username, domain name and password.
  • If a single domain is being managed, you can rem out the section for domain-name.  You will also have to set a domain name at line 19 from %domain-name% to
@echo off
                      
                      REM Prompt for username:uname
                      :uname
                      
                      REM If username is blank go to username Error prompt.
                      SET uname=
                      SET /P uname=Please enter username: 
                      IF "%uname%"=="" (goto uNameError) else (goto domain-name)
                      
                      REM Prompt for domain name
                      :domain-name
                      REM If domain name is blank go to domain Error prompt.
                      SET domain-name=
                      SET /P domain-name=Please enter domain name: 
                      IF "%domain-name%"=="" (goto domainError) else (goto lockAccount)
                      
                      :lockAccount
                      Net user %uname% /%domain-name% /active:No
                      goto end
                      
                      REM Username is Blank Error MEssage
                      :uNameError
                      ECHO You did not enter a username.
                      SET unameretry=
                      SET /P unameretry=Retry? (y, then enter or press enter to exit):
                      IF /i "%unameretry%"=="y" (goto uname) else (goto end)
                      
                      REM Domain name is Blank Error MEssage
                      :domainError
                      ECHO You did not enter a domain name.
                      SET domainNameretry=
                      SET /P domainNameRetry=Retry? (y, then enter or press enter to exit):
                      IF /i "%domainNameRetry%"=="y" (goto domain-name) else (goto end)
                      
                      :end
                      "C:\AD Scripts\usermgmt.cmd"

Open in new window



Unlock Account:

  • Copy the lines below to a file named unlockacct.cmd
  • This script will allow you to unlock a user account
  • In the current script, it will prompt for username, domain name and password.
  • If a single domain is being managed, you can rem out the section for domain-name.  You will also have to set a domain name at line 18 from %domain-name% to
@echo off
                      
                      REM Prompt for username:uname
                      :uname
                      
                      REM If username is blank go to username Error prompt.
                      SET uname=
                      SET /P uname=Please enter username: 
                      IF "%uname%"=="" (goto uNameError) else (goto domain-name)
                      
                      REM Prompt for domain name
                      :domain-name
                      REM If domain name is blank go to domain Error prompt.
                      SET domain-name=
                      SET /P domain-name=Please enter domain name: 
                      IF "%uname%"=="" (goto domainError) else (goto lockAccount)
                      
                      :lockAccount
                      Net user %uname% /%domain-name% /active:yes
                      goto end
                      
                      REM Username is Blank Error MEssage
                      :uNameError
                      ECHO You did not enter a username.
                      SET unameretry=
                      SET /P unameretry=Retry? (y, then enter or press enter to exit):
                      IF /i "%unameretry%"=="y" (goto uname) else (goto end)
                      
                      REM Domain name is Blank Error MEssage
                      :domainError
                      ECHO You did not enter a domain name.
                      SET unameretry=
                      SET /P domainRetry=Retry? (y, then enter or press enter to exit):
                      IF /i "%domainretry%"=="y" (goto domain-name) else (goto end)
                      
                      
                      :end
                      "C:\AD Scripts\usermgmt.cmd"

Open in new window

 
1
1,487 Views
Irwin W.There are a 1000 ways to skin the technology cat.
CERTIFIED EXPERT

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.