Chuckbuchan
asked on
Retrieve a user password through logon script
Some users in the network , when first created in the AD, the option that says "Users Must Change Password at next Log On"
was not ticked, so many of them are still using the default password they got the first time.
Now we would like to have a script (logon script)that tests if the password =the default and the age is greater than 02 days then the user name will be written to a text file. That way we can tell which of the people have that default password for more than 02 days.
Thanks
was not ticked, so many of them are still using the default password they got the first time.
Now we would like to have a script (logon script)that tests if the password =the default and the age is greater than 02 days then the user name will be written to a text file. That way we can tell which of the people have that default password for more than 02 days.
Thanks
You're not going to be able to do that via login script - that would be a security risk. You could get software like "LC5" (L0pht Crack 5) from Symantec (website I think still answers at www.atstake.com. It can do audits of your passwords on the network. But it won't tell you how old they are. For that, you'd need to query Active Directory.
have a look at this article:
http://www.winnetmag.com/WindowsScripting/Article/ArticleID/40885/40885.html
(you may need a subscription, but this magazine is WELL WORTH THE $50/year - one of the few).
http://www.winnetmag.com/WindowsScripting/Article/ArticleID/40885/40885.html
(you may need a subscription, but this magazine is WELL WORTH THE $50/year - one of the few).
Incidentally, the article I post talks about disabling accounts based on lastlogon attribute - but it may be contain info for doing what you ask.
ASKER
As an alternative to this question, I would like to have a script that queries Active directory and writes to a text file all user accounts created on a certain date.
Example user accounts created after 11/01/2004
thanks
Example user accounts created after 11/01/2004
thanks
Why reinvent the stone when someone has already done it for you.
Get userdump from here:
http://www.joeware.net/win/free/tools/userdump.htm
Run it against a domain controller:
userdump servername
And it will tell you what you need to know.
Simon.
Get userdump from here:
http://www.joeware.net/win/free/tools/userdump.htm
Run it against a domain controller:
userdump servername
And it will tell you what you need to know.
Simon.
ASKER
What does the dumpuser do. I downloaded it but don't know what it does.
Open a command prompt in the same directory as where you have put the file extracted from the zip file.
Then enter the command
userdump servername
Where servername is a domain controller.
And it will display a table for you.
Simon.
Then enter the command
userdump servername
Where servername is a domain controller.
And it will display a table for you.
Simon.
ASKER
whenever I run this command from the same directroy as userdump file is located , it says 'UserDump' is not recognized as an internal or external command, operable program or batch file.
See:
http://support.microsoft.com/default.aspx/kb/241215?
Userdump is part of the OEM support tools package and may not be installed on your computer - if/when it is, it may not be included in your path - read the documentation for the program at the link I provided above for more details.
http://support.microsoft.com/default.aspx/kb/241215?
Userdump is part of the OEM support tools package and may not be installed on your computer - if/when it is, it may not be included in your path - read the documentation for the program at the link I provided above for more details.
You have extracted it from the zip file that was downloaded? It should be a file called userdump.exe
Simon.
Simon.
I am not sure what you want to achieve. From the question I would think you want to make sure everybody eventually has a pw which is diiferent from the default one ?
Another way to go might be to set the domain policy for security/account/passwords . Here you set the maximum time fo passwords initially on 1 day. This forces the users to change their passwords the next day.
If you would like you can in the same place set other parameters like,
pw complexity
duration
length
And restrict usage of old pw's
Hope this will be of help
Goodluck
Ray
Another way to go might be to set the domain policy for security/account/passwords
If you would like you can in the same place set other parameters like,
pw complexity
duration
length
And restrict usage of old pw's
Hope this will be of help
Goodluck
Ray
ASKER
Since it's not possible to get the password used by a user for security purposes, I would like to get the Date that the user account is created, by querying the AD
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.