Need to create a script to automatically change users password upon logon.

I would like to install a script on our Windows 2003 active directory controller that will change a users password to a new randomly generated password and email them the password once they login to the server. Is this possible?
Who is Participating?
peakpeakConnect With a Mentor Commented:
If you change the users password, then mail it, how can the user log on and read his/her mail?
jkrConnect With a Mentor Commented:
Technically yes - if you run a script that does that *after* the have logged on. What you need is

- a command line mailer that can be used in scripts:
- a command line password generator that can be used in scripts:

Then you can set the password using


and mail it

bmail -s -t -f -h -a "Your new Password" -b "%PASSWORD%"
Ok, but you then have no error recovery, if the user is disconnected before (s)he can read her mail it's a dead end. You, as an administartor get blaimed, more work and feel (probably) bad. I'm entertained by your idea though, it's technical and its fun but not for a production environment.
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

>>if the user is disconnected before (s)he can read her mail it's a dead end

As an admin, you can always reset the password in such cases.
sharizodConnect With a Mentor Commented:
>peakpeak:Ok, but you then have no error recovery, if the user is disconnected before (s)he can read >her mail it's a dead end. You, as an administartor get blaimed

Not to mention that sending anything in plain text over email (if it goes out to the internet) is a security risk, randomly generated or not.
jkr: Like I mentioned, as an admin you're not supposed to NEED to do error recovery, it'll make you look bad
I am not saying that I think this is a good idea, yet it is possible. As a side not, sending that stuff by email to me implies that this network has it's own mail server. Sending logon passwords over the internet would be - hm, let's say "less than optimal"...
I agree with you sharizod, sending unencrypted emails even on internal nets, possibly with lots of extenal consultants, there is a real security misbehaviour. We don't allow consultants on our net however but even a grudged employee with an etheral sniffer can make great damage. Even if you disable rights to install programs someone can take a laptop with a switch, hide it in a drawer and share his/her only connection to enable sniffing by ARP spoofing
Yea.  We once had a supervisor out on the plant floor at one of my former places of employment capturing keystrokes, using packet sniffers, and tampering with the hardware (and putting it back before we would come in during the day).  He was found out only because he was not well-liked and blabbed too much.  The internal threats are the scariest of all!

At my current place, we have security up the wazoo and are sox compliant.  Consultants that come in are allowed to use the iwireless nternet only after explicitly requesting it from IT since they must be assigned a temporary password to be able to login.  Once in, they cannot see any of our network since they are segrated by some software running on a server and a firewall/router - an internal DMZ if you will.
Yep, we call it the Consultant Network, only 25, 110, 80 and the like inbound, unresticted outbound access is allowed as of today (might change that). No access to our internal network. Our users are well-behaving (or at least we do believe it :). No virus spread or other mishappens since like 1998 where we had the first and second. But you never really know, it's a matter of how important your intellectual property is and of course the budget to support it .. :)
Chris DentPowerShell DeveloperCommented:

No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I will leave the following recommendation for this question in the Cleanup Zone:
SPLIT: peakpeak {19568412} & jkr {19568696} & sharizod {19568846}

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

Experts Exchange Cleanup Volunteer
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.