?
Solved

Retrieve a user password through logon script

Posted on 2004-11-18
13
Medium Priority
?
359 Views
Last Modified: 2012-08-13
Some users in the network , when first created in the AD, the option that says "Users Must Change Password at next Log On"
was not ticked, so many of them are still using the default password they got the first time.
Now we would like to have a script (logon script)that tests if the password =the default and the age is greater than 02 days then the user name will be written to a text file. That way we can tell which of the people have that default password for more than 02 days.

Thanks
0
Comment
Question by:Chuckbuchan
  • 4
  • 4
  • 3
  • +2
13 Comments
 
LVL 97

Expert Comment

by:Lee W, MVP
ID: 12617088
You're not going to be able to do that via login script - that would be a security risk.  You could get software like "LC5" (L0pht Crack 5) from Symantec (website I think still answers at www.atstake.com.  It can do audits of your passwords on the network.  But it won't tell you how old they are.  For that, you'd need to query Active Directory.
0
 
LVL 97

Expert Comment

by:Lee W, MVP
ID: 12617110
have a look at this article:
http://www.winnetmag.com/WindowsScripting/Article/ArticleID/40885/40885.html
(you may need a subscription, but this magazine is WELL WORTH THE $50/year - one of the few).  
0
 
LVL 97

Expert Comment

by:Lee W, MVP
ID: 12617120
Incidentally, the article I post talks about disabling accounts based on lastlogon attribute - but it may be contain info for doing what you ask.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Chuckbuchan
ID: 12618729
As an alternative to this question, I would like to have a script that queries Active directory and writes to a text file all user accounts created on a certain date.

Example user accounts created after 11/01/2004

thanks
0
 
LVL 104

Expert Comment

by:Sembee
ID: 12619491
Why reinvent the stone when someone has already done it for you.

Get userdump from here:
http://www.joeware.net/win/free/tools/userdump.htm

Run it against a domain controller:

userdump servername

And it will tell you what you need to know.

Simon.
0
 

Author Comment

by:Chuckbuchan
ID: 12626980
What does the dumpuser do. I downloaded it but don't know what it does.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 12627236
Open a command prompt in the same directory as where you have put the file extracted from the zip file.

Then enter the command

userdump servername

Where servername is a domain controller.

And it will display a table for you.

Simon.
0
 

Author Comment

by:Chuckbuchan
ID: 12629723
whenever I run this command from the same directroy as userdump file is located , it says 'UserDump' is not recognized as an internal or external command, operable program or batch file.
0
 
LVL 97

Expert Comment

by:Lee W, MVP
ID: 12629803
See:
http://support.microsoft.com/default.aspx/kb/241215?

Userdump is part of the OEM support tools package and may not be installed on your computer - if/when it is, it may not be included in your path - read the documentation for the program at the link I provided above for more details.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 12629920
You have extracted it from the zip file that was downloaded? It should be a file called userdump.exe

Simon.
0
 
LVL 1

Expert Comment

by:Dustbak
ID: 12633100
I am not sure what you want to achieve. From the question I would think you want to make sure everybody eventually has a pw which is diiferent from the default one ?

Another way to go might be to set the domain policy for security/account/passwords. Here you set the maximum time fo passwords initially on 1 day. This forces the users to change their passwords the next day.

If you would like you can in the same place set other parameters like,

pw complexity
duration
length

And restrict usage of old pw's

Hope this will be of help

Goodluck
Ray
0
 

Author Comment

by:Chuckbuchan
ID: 12699697
Since it's not possible to get the password used by a user for security purposes, I would like to get the Date that the user account is created, by querying the AD
0
 
LVL 17

Accepted Solution

by:
jburgaard earned 1500 total points
ID: 12880100
As I understand - correct me if wrong - you want to deal with the 'fist' users, who has not yet changed password and make them do so. How this is done is less important ?

If that is the case, I would suggest making a 'DSQUERY' to find those users.
As the next step eventually pipe the output from such a query to  
'DSMOD' to make a attribute change, so the selected "Users Must Change Password at next Log On"

dsquery user "OU=gl,DC=qwe,DC=dimsedut,DC=com" -stalepwd 15|dsmod user -mustchpwd yes

here dsquery finds users in the ou named gl in the domain qwe.dimsedut.com,
who has not changed password in more than 15 days,
dsmod changes the  "Users Must Change Password at next Log On" attribute for these users to 'yes'


0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
This article will show you step-by-step instructions to build your own NTP CentOS server.  The network diagram shows the best practice to setup the NTP server farm for redundancy.  This article also serves as your NTP server documentation.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question