• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 314
  • Last Modified:

Need to create a script to automatically change users password upon logon.

I would like to install a script on our Windows 2003 active directory controller that will change a users password to a new randomly generated password and email them the password once they login to the server. Is this possible?
0
FASTECHS
Asked:
FASTECHS
  • 5
  • 3
  • 2
  • +1
3 Solutions
 
peakpeakCommented:
If you change the users password, then mail it, how can the user log on and read his/her mail?
0
 
jkrCommented:
Technically yes - if you run a script that does that *after* the have logged on. What you need is

- a command line mailer that can be used in scripts: http://www.beyondlogic.org/consulting/cmdlinemail/cmdlinemail.htm
- a command line password generator that can be used in scripts: http://password-generator-professional-2006.kristanix-software.alienpicks.com/

Then you can set the password using

net %USERNAME% %PASSWORD%

and mail it

bmail -s smtp.mydomain.com -t %USRENAME%@mydomain.com -f administrator@mydomain.com -h -a "Your new Password" -b "%PASSWORD%"
0
 
peakpeakCommented:
Ok, but you then have no error recovery, if the user is disconnected before (s)he can read her mail it's a dead end. You, as an administartor get blaimed, more work and feel (probably) bad. I'm entertained by your idea though, it's technical and its fun but not for a production environment.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
jkrCommented:
>>if the user is disconnected before (s)he can read her mail it's a dead end

As an admin, you can always reset the password in such cases.
0
 
sharizodCommented:
>peakpeak:Ok, but you then have no error recovery, if the user is disconnected before (s)he can read >her mail it's a dead end. You, as an administartor get blaimed

Not to mention that sending anything in plain text over email (if it goes out to the internet) is a security risk, randomly generated or not.
0
 
peakpeakCommented:
jkr: Like I mentioned, as an admin you're not supposed to NEED to do error recovery, it'll make you look bad
0
 
jkrCommented:
I am not saying that I think this is a good idea, yet it is possible. As a side not, sending that stuff by email to me implies that this network has it's own mail server. Sending logon passwords over the internet would be - hm, let's say "less than optimal"...
0
 
peakpeakCommented:
I agree with you sharizod, sending unencrypted emails even on internal nets, possibly with lots of extenal consultants, there is a real security misbehaviour. We don't allow consultants on our net however but even a grudged employee with an etheral sniffer can make great damage. Even if you disable rights to install programs someone can take a laptop with a switch, hide it in a drawer and share his/her only connection to enable sniffing by ARP spoofing
0
 
sharizodCommented:
Yea.  We once had a supervisor out on the plant floor at one of my former places of employment capturing keystrokes, using packet sniffers, and tampering with the hardware (and putting it back before we would come in during the day).  He was found out only because he was not well-liked and blabbed too much.  The internal threats are the scariest of all!

At my current place, we have security up the wazoo and are sox compliant.  Consultants that come in are allowed to use the iwireless nternet only after explicitly requesting it from IT since they must be assigned a temporary password to be able to login.  Once in, they cannot see any of our network since they are segrated by some software running on a server and a firewall/router - an internal DMZ if you will.
0
 
peakpeakCommented:
Yep, we call it the Consultant Network, only 25, 110, 80 and the like inbound, unresticted outbound access is allowed as of today (might change that). No access to our internal network. Our users are well-behaving (or at least we do believe it :). No virus spread or other mishappens since like 1998 where we had the first and second. But you never really know, it's a matter of how important your intellectual property is and of course the budget to support it .. :)
0
 
Chris DentPowerShell DeveloperCommented:

No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I will leave the following recommendation for this question in the Cleanup Zone:
SPLIT: peakpeak {19568412} & jkr {19568696} & sharizod {19568846}

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

Chris-Dent
Experts Exchange Cleanup Volunteer
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

  • 5
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now