<

AD Management

Published on
4,143 Points
1,043 Views
1 Endorsement
Last Modified:
I consult and manage a number of small businesses with no IT staff and staff who could do some serious damage if they were given the ADUC interface.  Sure, I can delegate rights and still give access to the ADUC interface but truly believe that less is best.  

You may already know about these command-line tools.  All I have done is to place them into .cmd scripts, and since the environments have terminal servers, I created .rdp files so all they have to do is launch the scripts and get to the tools they need for some basic day to day user management.

The way this works:
  1. The scripts below will need to be placed into a directory that is accessible by your admins.  I used c:\AD Scripts.
  2. I then configured Remote Apps and created a .RDP file and shared with my local power users.
  3. The next step is to use the AD delegation wizard and provide permissions to allow password changed by specific users.
I hope this helps anyone who consults and supports small businesses as I do.

The main user management script copy this into a file named usermgmt.cmd:
  • This script has three menu items; Lock AD Account, Unlock AD Account and Change AD password.
  • At line four, you can add information to for IT support such as your email address or telephone number.
 
@echo off
CLS
:MENU
ECHO.
ECHO ...............................................
ECHO ..Please select an option
ECHO ..for any questions please send an email to < place your support contact info here >
ECHO ...............................................
ECHO..
ECHO 1 - Lock Active Directory Account
ECHO 2 - Unlock Active Directory Account
ECHO 3 - Change Active Directory Password
ECHO 4 - Exit User Management
ECHO..
ECHO..
SET /P M=Type 1, 2, 3 then press ENTER:
IF %M%==1 GOTO LockAcct
IF %M%==2 GOTO UnlockAcct
IF %M%==3 GOTO ChangePwd
IF %M%==4 GOTO eof

:LockAcct
"C:\AD Scripts\lockacct.cmd"
:UnlockAcct
"C:\AD Scripts\unlockacct.cmd"
:ChangePwd
"C:\AD Scripts\changepwd.cmd"

:end

Open in new window



The Change Password script:

  • Copy this into a file named changepwd.cmd
  • This script will all your power users be able to change AD password.  In the current script, it will prompt for username, domain name and password.
  • If a single domain is being managed, you can rem out the section for domain-name.  You will also have to set a domain name at line 35 from %domain-name% to
@echo off

REM Prompt for username
:uname

REM If username is blank go to Error prompt.  If username is entered prompt for domain name
SET uname=
SET /P uname=Please enter username: 
IF "%uname%"=="" (goto uNameError) else (goto domain-name)

REM Prompt for domain name
:domain-name

REM If domain name is blank go to Error prompt.  If domain name is entered prompt for password
SET uname=
SET /P domain-name=Please enter domain name: 
IF "%domain-name%"=="" (goto domainError) else (goto password)

REM prompt for password
:password

REM this will mask password that is being entered
set "psCommand=powershell -Command "$pword = read-host 'Enter Password' -AsSecureString ; ^
    $BSTR=[System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($pword); ^
        [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)""
set passwd=
for /f "usebackq delims=" %%p in (`%psCommand%`) do set passwd=%%p
IF "%passwd%"=="" (goto passwdError) else (goto rasdial)

REM If password is blank go to password Error prompt.  If password is entered start dialing VPN connection
REM SET /P passwd=Please enter your password:
REM IF "%passwd%"=="y" (goto passwdError) else (goto changePass)

:changePass
net user %uname% %password% /%domain-name% /Active:Yes /logonpasswordchg:yes
goto end

REM Username is Blank Error MEssage
:uNameError
ECHO You did not enter a username.
SET unameretry=
SET /P unameretry=Retry? (y, then enter or press enter to exit):
IF /i "%unameretry%"=="y" (goto uname) else (goto end)

REM Domain name is Blank Error MEssage
:domainError
ECHO You did not enter a domain name.
SET domainNameretry=
SET /P domainNameRetry=Retry? (y, then enter or press enter to exit):
IF /i "%domainNameRetry%"=="y" (goto domain-name) else (goto end)

REM Password is Blank Error Message
:passwdError
ECHO You did not enter a password.
SET passRetry=
SET /P passRetry=Retry? (y, then enter or press enter to exit):
IF /i "%passRetry%"=="y" (goto password) else (goto end)

:end
"C:\AD Scripts\usermgmt.cmd"

Open in new window


Lock Account:

  • Copy this into a file named lock.acct.cmd
  • This script will allow you to lock a user account from access
  • In the current script, it will prompt for username, domain name and password.
  • If a single domain is being managed, you can rem out the section for domain-name.  You will also have to set a domain name at line 19 from %domain-name% to
@echo off

REM Prompt for username:uname
:uname

REM If username is blank go to username Error prompt.
SET uname=
SET /P uname=Please enter username: 
IF "%uname%"=="" (goto uNameError) else (goto domain-name)

REM Prompt for domain name
:domain-name
REM If domain name is blank go to domain Error prompt.
SET domain-name=
SET /P domain-name=Please enter domain name: 
IF "%domain-name%"=="" (goto domainError) else (goto lockAccount)

:lockAccount
Net user %uname% /%domain-name% /active:No
goto end

REM Username is Blank Error MEssage
:uNameError
ECHO You did not enter a username.
SET unameretry=
SET /P unameretry=Retry? (y, then enter or press enter to exit):
IF /i "%unameretry%"=="y" (goto uname) else (goto end)

REM Domain name is Blank Error MEssage
:domainError
ECHO You did not enter a domain name.
SET domainNameretry=
SET /P domainNameRetry=Retry? (y, then enter or press enter to exit):
IF /i "%domainNameRetry%"=="y" (goto domain-name) else (goto end)

:end
"C:\AD Scripts\usermgmt.cmd"

Open in new window



Unlock Account:

  • Copy the lines below to a file named unlockacct.cmd
  • This script will allow you to unlock a user account
  • In the current script, it will prompt for username, domain name and password.
  • If a single domain is being managed, you can rem out the section for domain-name.  You will also have to set a domain name at line 18 from %domain-name% to
@echo off

REM Prompt for username:uname
:uname

REM If username is blank go to username Error prompt.
SET uname=
SET /P uname=Please enter username: 
IF "%uname%"=="" (goto uNameError) else (goto domain-name)

REM Prompt for domain name
:domain-name
REM If domain name is blank go to domain Error prompt.
SET domain-name=
SET /P domain-name=Please enter domain name: 
IF "%uname%"=="" (goto domainError) else (goto lockAccount)

:lockAccount
Net user %uname% /%domain-name% /active:yes
goto end

REM Username is Blank Error MEssage
:uNameError
ECHO You did not enter a username.
SET unameretry=
SET /P unameretry=Retry? (y, then enter or press enter to exit):
IF /i "%unameretry%"=="y" (goto uname) else (goto end)

REM Domain name is Blank Error MEssage
:domainError
ECHO You did not enter a domain name.
SET unameretry=
SET /P domainRetry=Retry? (y, then enter or press enter to exit):
IF /i "%domainretry%"=="y" (goto domain-name) else (goto end)


:end
"C:\AD Scripts\usermgmt.cmd"

Open in new window

 
1
Comment
Author:nappy_d
0 Comments

Featured Post

Cloud Class® Course: Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

Join & Write a Comment

Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month