Solved

Bulk Reset AD passwords to unique passwords

Posted on 2009-07-01
9
660 Views
Last Modified: 2012-05-07
Hello,

I've been searching EE & google for a script that would allow me to reset AD passwords to unique passwords and not something generic for all users. In other words, here's what I'm trying to accomplish:

Name            DOB (password)
Joe Smith --> 09171965
Mary Sue --> 12251971

I've come across VBscripts that prompt the administrator for the user to have his/her password reset, and while this would work for one user, it wouldn't work for many users as I'm trying to automate the process. I will be creating a large number of users and here's my idea:

1. Use a script to create and enable the user accounts with a generic password (got this step)
2. Place all users created in step #1 into a specific OU (got this step)
3. Create a file (.csv,.txt, etc) with user names (or sAMaccount, DN, etc.) and passwords.
3. Run a script against the OU in step #2 and have the script read the file in step #3 so that it can reset the passwords accordingly.

Any guidance on how to accomplish the above will be much appreciated. Thanks.
0
Comment
Question by:bndit
9 Comments
 
LVL 35

Accepted Solution

by:
Joseph Daly earned 500 total points
ID: 24757193
Well you could do something like this.

This will need a file with the username!password on each line. I used the exclamation point as a delemiter.


for /F "delims=! tokens=1,2" %%h IN (file.txt) Do dsquery user -samid "%%h" | dsmod user -pwd "%%i"

Open in new window

0
 
LVL 35

Assisted Solution

by:Joseph Daly
Joseph Daly earned 500 total points
ID: 24757238
Sorry that might be a little bit brief so a little explanation.

Save that command to a file and rename it to a bat file. Basically once you create your OU and populate your users into it. You would need to make a plain text file with their username (samid) and the desired password. It has to be in the format of

user1!pass1
user2!pass2
user3!pass3

Make sure there isnt a trailing carriage return in the file. Save the file as file.txt as that is refferenced in the command and then execute the bat file. Once the file is executed it will loop through the file.txt and perform a lookup of the username and then modify it with the password you provided.

Hope this explains a little better.
0
 
LVL 2

Author Comment

by:bndit
ID: 24757376
Thanks, that does explain it better. Just for my own knowledge...what scripting language is this? and is there a link that you can refer me to so that I can understand the various arguments you're using. I like to understand as much as possible things that I run  :). I'll be testing this on my test environment and I'll get back to you on the outcome.

thanks,
0
 
LVL 35

Assisted Solution

by:Joseph Daly
Joseph Daly earned 500 total points
ID: 24757483
The file I am using is just batch scripting using the DS series of commands. Its really only 2 commands the DOS FOR command
http://www.geocities.com/rick_lively/MANUALS/COMMANDS/F/FOR_F.HTM

and the commands using DSquery and DSmod
http://www.geocities.com/rick_lively/MANUALS/COMMANDS/D/DSQUERY.HTM
http://www.geocities.com/rick_lively/MANUALS/COMMANDS/D/DSMOD.HTM

A quick run through of the commands

For /f - Loop through each line in a file
delims=! - what character to look for to seperate the tokens
tokens 1,2 - how many items are expected
%%h - the variable name to start with in this case %%h and %%i. Determined by the tokens 1,2 line. If it were tokens 1,2,3,4 you would have %%H %%I %%J %%K and so on.
IN (file.txt) - Where to look for the data to loop through

Do {command} - what will actually be done with the data. In thise case dsquery user -samid "%%h" | dsmod user -pwd "%%i"




0
 
LVL 3

Expert Comment

by:bdibene
ID: 24758157
You mentioned that you know how to have a VBScript prompt the Admin to change the User password.
Do you need to set the passwords to something you know, or would it be OK to just prompt all the Users and force them to change their own passwords?  This can be done with Group Policy (Computer Config-->Windows Settings-->Security Settings-->Account Policies-->Password Policy).
0
 
LVL 2

Author Comment

by:bndit
ID: 24758444
I want to change the passwords to something known but unique to each user such as their employee #. I'm trying to stay away from turning the "change password at next logon" flag - this might be against best practice when creating a new user account, but it's necessary in my circumstances. The password policy applied at the domain level will take care of forcing them to reset the password at a later time.
0
 
LVL 5

Expert Comment

by:artoaperjan
ID: 24768101
hi
this is a good request i can use this too. if u want i can script for u a VBScript which  will do all the 4 steps you have above but we woud need to agree on how r u going to supply the user details.
if you can put all in a txt all above steps can be done automaticaly.

Art
0
 
LVL 2

Author Comment

by:bndit
ID: 24768245
Hi Art - thanks for offering to script this out. I'm providing you with a small text file that contains about five users...this should be enough to get the script working. Take a look at the txt file and let me know if it works. The only column that you won't find in it will be the password as I don't believe that can be imported into AD but rather you'll take care of it with the script. Let me know. Thanks again.
User-bulk-create2.txt
0
 
LVL 2

Author Closing Comment

by:bndit
ID: 31598906
thanks
0

Join & Write a Comment

In this previous article (https://oddytee.wordpress.com/2016/05/05/provision-new-office-365-user-and-mailbox-from-exchange-hybrid-via-powershell/), we made basic license assignments to users in O365. When I say basic, the method is the simplest way …
If you need to start windows update installation remotely or as a scheduled task you will find this very helpful.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now