Solved

Run .vbs over network, Active Directory Password Change

Posted on 2006-06-13
10
2,622 Views
Last Modified: 2008-05-30
I have a problem with the following vb script:

===Start changepw.vbs===========================================================
Dim ArgObj, user, pwd, new_pwd, ldap, RootDSE, DomainADsPath, domain
Dim objconn, objcommand, reject, usr, authentication_server
Dim objRootDSE
Dim minpwdlength
Dim dn, dnval
Set ArgObj = WScript.Arguments

'Example usage:
'wscript changepw.vbs username password newpassword ldap://9.173.216.83:389/
user = ArgObj(0)
pwd  = ArgObj(1)
new_pwd = ArgObj(2)
LDAP = ArgObj(3)

if Asc(LDAP) <> 76 then
      wscript.echo("Usage: changepw.vbs username password newpassword LDAP://0.0.0.0:000/")
else
      startpwchange()
end if


sub startpwchange()
      set objRootDSE = GetObject(LDAP & "RootDSE")
      DomainADsPath= LDAP & objRootDSE.Get("defaultNamingContext")
      set domain = GetObject(DomainADsPath)

      domain.GetInfoex Array("minPwdLength"),0
      
      set objconn =CreateObject("ADODB.Connection")
      set objcommand= CreateObject("ADODB.Command")
      
      objconn.Provider ="ADSDSOObject"
      objconn.open
      set objcommand.activeconnection = objconn
      
      objcommand.CommandText = "<" & domainADspath & ">;(&(objectclass=user)(samaccountname=" & user &"));distinguishedName;subtree"
      set objrecordset=objcommand.Execute
      if objrecordset.EOF then
            wscript.echo("Code 2: Invalid username/password")
      else
            dnval = objrecordset.Fields("distinguishedName")
            if isArray(dnval) then
                  dn = dnval(0)
            else
                  dn = dnval
            end if
            set usr = Getobject(LDAP & dn)
            wscript.echo("Got user object")
            if err.number <> 0 then
                  if hex(Err.Number) = "800708AD" then
                        wscript.echo("Code 173: Invalid dn syntax")
                  else  
                        Adsierr hex(Err.Number),Err.Description
                  end if       
            else
                  on error resume next
                  usr.changepassword pwd,new_pwd
                  if err.number < 0 Then
                        wscript.echo("Code 1: Password change failed Code:" & err.number)
                     Select Case Hex(err.number)
                        case "80070775" wscript.echo("Code 117: Account is locked or disabled")
                        case "80070056" wscript.echo("Code 86: Password does not match minimum criteria")
                        case "800708C5" wscript.echo("Code 197: Password must be different from previous 4!")
                        case "D" wscript.echo("Code 13: Confidential connection required")
                        case else Adsierr hex(Err.Number),Err.Description
                     end select
                  else
                        wscript.echo("Code 0: Command Successful")
                  End If
            end if      
      end if            
end sub
===End changepw.vbs============================================================

Okay, the script runs fine, perfect, well nearly.  I have the script running on a server on my network (WEB_B), if I run the script giving it the correct parameters it works.  What I'm trying to do is run the script from other machines in my network (e.g. WEB_A).  

So far I have:
- Set a network drive on WEB_A to point to the folder on WEB_B that has the vbscript, so I would call p:\changepw.vbs param1 param2 param3 param4
- Set permissions on the file so that the Everybody group has full control over the file
- Set permissions on the file so that the Server WEB_A has full control on the file

When I run the script I get the error code -2147023545.  Which when I looked up means Cannot Access Domain Info.  Now, IIS is running on WEB_B that holds the file, and when run locally it runs fine.  But over the network it doesn't like it, and I can;t for the life of me work out why.

Please help!
0
Comment
Question by:Mr_Lenehan
  • 5
  • 5
10 Comments
 
LVL 9

Expert Comment

by:Krompton
ID: 16896773
Why are you trying to change passwords this way?
What OSes are being used?
0
 
LVL 2

Author Comment

by:Mr_Lenehan
ID: 16896828
I am using WebSphere to change passwords in Active Directory on 2000 Advanced Server.  Active Directory requires a security certificate to make changes from a non Microsoft product.

By using a vbs, Active Directory doesn't seem to care much about a certificate.  For some reason though, when the file is on WEB_B it works, when its on WEB_A is doesn't. Even though they are no the same network, connecting to the same domain controller and using the same file.

So, I figured that if WEB_B can run the file and WEB_A can't, for whatever reason, then maybe I could get WEB_A to get WEB_B to run the file... thereby bypassing the problem.
0
 
LVL 9

Expert Comment

by:Krompton
ID: 16897198
It runs fine if copyed to WEB_A and run locally?
0
 
LVL 2

Author Comment

by:Mr_Lenehan
ID: 16897399
no, it fails with error code -2147023545.
0
 
LVL 9

Expert Comment

by:Krompton
ID: 16901664
You said...
********************
So far I have:
- Set a network drive on WEB_A to point to the folder on WEB_B that has the vbscript, so I would call p:\changepw.vbs param1 param2 param3 param4
- Set permissions on the file so that the Everybody group has full control over the file
- Set permissions on the file so that the Server WEB_A has full control on the file

When I run the script I get the error code -2147023545.  Which when I looked up means Cannot Access Domain Info.  Now, IIS is running on WEB_B that holds the file, and when run locally it runs fine.  But over the network it doesn't like it, and I can;t for the life of me work out why.
********************

Maybe I’m just being dense here but, just for clarification; this error occurs when attempting to run the script both from a local drive as well as a mapped drive?

If it does work from a local drive and just not a networked one we might be able to approach a solution from a different way. Otherwise you may try using PSExec.exe from Sysinternals (though I have never tried to use their tools on a machine running WebSphere).

Krompton
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 2

Author Comment

by:Mr_Lenehan
ID: 16903556
You are correct. It won't run on the local machine, this is why I'm trying to run it from a remote machine. Easiest for me would be for it to run from the local machine.
0
 
LVL 2

Author Comment

by:Mr_Lenehan
ID: 16903717
In short, I think WEB_A isn't set up correctly to run this vbs, the error message basically means that it thinks it has no access to the domain controller... even though it has been set up correctly and a java application can authenticate users from the server.

It was my thinking that if WEB_A couldn't do it, but WEB_B can, then it would be easier to get WEB_A to ask WEB_B to run the script and get WEB_A to do the work.

The way I have WebSphere set up allows me to call cmd.exe as System or Admin and pass it the params I want running.  At the moment I'm just running off of cmd directly until I get it working.  When I have it working I'll start to play around with getting WebSphere to run it properly which is something I'm familiar with.

Ideally if there was a way to get this script to run on WEB_A I'd do it.  But safe to say this isn't happening which is why I'm attempting this round-about way of doing things.
0
 
LVL 9

Accepted Solution

by:
Krompton earned 500 total points
ID: 16903790
I agree that would certainly be easiest. :) Just wanted to make sure I understood you correctly.

Though I have a fair amount of knowledge of scripting and such, I personally have not used WebSphere so I can really only provide educated guesses. I also agree that it sounds like a setting difference between the two servers.

There are probably other folks here who could help more. If PSExec won’t work for you (kinda like what you're doing now though), you may want repost this question adding “WebSphere Question” or something like that to the title. You will get posts from those likely to know more than I about WebSphere.

Good Luck,
Krompton
0
 
LVL 2

Author Comment

by:Mr_Lenehan
ID: 16951220
It turns out it was an OS problem not Websphere.  My Windows server that was running Websphere had not been correctly joined to the domain.... this meant the domain controller could never be found hence the shifily unhelpfull error message.

So the solution was: disconnect server from domain > rejoin using admin priviladges > job done.
0
 
LVL 9

Expert Comment

by:Krompton
ID: 16951396
Glad you got it strightened out. Now you can do it the easy way, eh? :)
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Windows 7 does not have the best desktop search built in. This is something Windows 7 users have struggled with. You type something in, and your search results don’t always match what you are looking for, or it doesn’t actually work at all. There ar…
#Citrix #POC #XenDesktop #vCenter #VMware #ESX
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now