Solved

Run .vbs over network, Active Directory Password Change

Posted on 2006-06-13
10
2,641 Views
Last Modified: 2008-05-30
I have a problem with the following vb script:

===Start changepw.vbs===========================================================
Dim ArgObj, user, pwd, new_pwd, ldap, RootDSE, DomainADsPath, domain
Dim objconn, objcommand, reject, usr, authentication_server
Dim objRootDSE
Dim minpwdlength
Dim dn, dnval
Set ArgObj = WScript.Arguments

'Example usage:
'wscript changepw.vbs username password newpassword ldap://9.173.216.83:389/
user = ArgObj(0)
pwd  = ArgObj(1)
new_pwd = ArgObj(2)
LDAP = ArgObj(3)

if Asc(LDAP) <> 76 then
      wscript.echo("Usage: changepw.vbs username password newpassword LDAP://0.0.0.0:000/")
else
      startpwchange()
end if


sub startpwchange()
      set objRootDSE = GetObject(LDAP & "RootDSE")
      DomainADsPath= LDAP & objRootDSE.Get("defaultNamingContext")
      set domain = GetObject(DomainADsPath)

      domain.GetInfoex Array("minPwdLength"),0
      
      set objconn =CreateObject("ADODB.Connection")
      set objcommand= CreateObject("ADODB.Command")
      
      objconn.Provider ="ADSDSOObject"
      objconn.open
      set objcommand.activeconnection = objconn
      
      objcommand.CommandText = "<" & domainADspath & ">;(&(objectclass=user)(samaccountname=" & user &"));distinguishedName;subtree"
      set objrecordset=objcommand.Execute
      if objrecordset.EOF then
            wscript.echo("Code 2: Invalid username/password")
      else
            dnval = objrecordset.Fields("distinguishedName")
            if isArray(dnval) then
                  dn = dnval(0)
            else
                  dn = dnval
            end if
            set usr = Getobject(LDAP & dn)
            wscript.echo("Got user object")
            if err.number <> 0 then
                  if hex(Err.Number) = "800708AD" then
                        wscript.echo("Code 173: Invalid dn syntax")
                  else  
                        Adsierr hex(Err.Number),Err.Description
                  end if       
            else
                  on error resume next
                  usr.changepassword pwd,new_pwd
                  if err.number < 0 Then
                        wscript.echo("Code 1: Password change failed Code:" & err.number)
                     Select Case Hex(err.number)
                        case "80070775" wscript.echo("Code 117: Account is locked or disabled")
                        case "80070056" wscript.echo("Code 86: Password does not match minimum criteria")
                        case "800708C5" wscript.echo("Code 197: Password must be different from previous 4!")
                        case "D" wscript.echo("Code 13: Confidential connection required")
                        case else Adsierr hex(Err.Number),Err.Description
                     end select
                  else
                        wscript.echo("Code 0: Command Successful")
                  End If
            end if      
      end if            
end sub
===End changepw.vbs============================================================

Okay, the script runs fine, perfect, well nearly.  I have the script running on a server on my network (WEB_B), if I run the script giving it the correct parameters it works.  What I'm trying to do is run the script from other machines in my network (e.g. WEB_A).  

So far I have:
- Set a network drive on WEB_A to point to the folder on WEB_B that has the vbscript, so I would call p:\changepw.vbs param1 param2 param3 param4
- Set permissions on the file so that the Everybody group has full control over the file
- Set permissions on the file so that the Server WEB_A has full control on the file

When I run the script I get the error code -2147023545.  Which when I looked up means Cannot Access Domain Info.  Now, IIS is running on WEB_B that holds the file, and when run locally it runs fine.  But over the network it doesn't like it, and I can;t for the life of me work out why.

Please help!
0
Comment
Question by:Mr_Lenehan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 9

Expert Comment

by:Krompton
ID: 16896773
Why are you trying to change passwords this way?
What OSes are being used?
0
 
LVL 2

Author Comment

by:Mr_Lenehan
ID: 16896828
I am using WebSphere to change passwords in Active Directory on 2000 Advanced Server.  Active Directory requires a security certificate to make changes from a non Microsoft product.

By using a vbs, Active Directory doesn't seem to care much about a certificate.  For some reason though, when the file is on WEB_B it works, when its on WEB_A is doesn't. Even though they are no the same network, connecting to the same domain controller and using the same file.

So, I figured that if WEB_B can run the file and WEB_A can't, for whatever reason, then maybe I could get WEB_A to get WEB_B to run the file... thereby bypassing the problem.
0
 
LVL 9

Expert Comment

by:Krompton
ID: 16897198
It runs fine if copyed to WEB_A and run locally?
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 2

Author Comment

by:Mr_Lenehan
ID: 16897399
no, it fails with error code -2147023545.
0
 
LVL 9

Expert Comment

by:Krompton
ID: 16901664
You said...
********************
So far I have:
- Set a network drive on WEB_A to point to the folder on WEB_B that has the vbscript, so I would call p:\changepw.vbs param1 param2 param3 param4
- Set permissions on the file so that the Everybody group has full control over the file
- Set permissions on the file so that the Server WEB_A has full control on the file

When I run the script I get the error code -2147023545.  Which when I looked up means Cannot Access Domain Info.  Now, IIS is running on WEB_B that holds the file, and when run locally it runs fine.  But over the network it doesn't like it, and I can;t for the life of me work out why.
********************

Maybe I’m just being dense here but, just for clarification; this error occurs when attempting to run the script both from a local drive as well as a mapped drive?

If it does work from a local drive and just not a networked one we might be able to approach a solution from a different way. Otherwise you may try using PSExec.exe from Sysinternals (though I have never tried to use their tools on a machine running WebSphere).

Krompton
0
 
LVL 2

Author Comment

by:Mr_Lenehan
ID: 16903556
You are correct. It won't run on the local machine, this is why I'm trying to run it from a remote machine. Easiest for me would be for it to run from the local machine.
0
 
LVL 2

Author Comment

by:Mr_Lenehan
ID: 16903717
In short, I think WEB_A isn't set up correctly to run this vbs, the error message basically means that it thinks it has no access to the domain controller... even though it has been set up correctly and a java application can authenticate users from the server.

It was my thinking that if WEB_A couldn't do it, but WEB_B can, then it would be easier to get WEB_A to ask WEB_B to run the script and get WEB_A to do the work.

The way I have WebSphere set up allows me to call cmd.exe as System or Admin and pass it the params I want running.  At the moment I'm just running off of cmd directly until I get it working.  When I have it working I'll start to play around with getting WebSphere to run it properly which is something I'm familiar with.

Ideally if there was a way to get this script to run on WEB_A I'd do it.  But safe to say this isn't happening which is why I'm attempting this round-about way of doing things.
0
 
LVL 9

Accepted Solution

by:
Krompton earned 500 total points
ID: 16903790
I agree that would certainly be easiest. :) Just wanted to make sure I understood you correctly.

Though I have a fair amount of knowledge of scripting and such, I personally have not used WebSphere so I can really only provide educated guesses. I also agree that it sounds like a setting difference between the two servers.

There are probably other folks here who could help more. If PSExec won’t work for you (kinda like what you're doing now though), you may want repost this question adding “WebSphere Question” or something like that to the title. You will get posts from those likely to know more than I about WebSphere.

Good Luck,
Krompton
0
 
LVL 2

Author Comment

by:Mr_Lenehan
ID: 16951220
It turns out it was an OS problem not Websphere.  My Windows server that was running Websphere had not been correctly joined to the domain.... this meant the domain controller could never be found hence the shifily unhelpfull error message.

So the solution was: disconnect server from domain > rejoin using admin priviladges > job done.
0
 
LVL 9

Expert Comment

by:Krompton
ID: 16951396
Glad you got it strightened out. Now you can do it the easy way, eh? :)
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
Here's a look at newsworthy articles and community happenings during the last month.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question