?
Solved

Creating random passwords in AD using powershell

Posted on 2010-01-11
22
Medium Priority
?
1,546 Views
Last Modified: 2012-05-08
Hi there, I'm currently trying to create a csv file with randomly generated passwords for a set of users in a single OU but having a couple of issues. I'm using the quest cmdlets snap in and I think that the script I've pasted below should work but once I get to the 'set-qaduser' command, I get an error telling me that it's an unexpected token. Can anyone advise if I've missed something or got something wrong?!

$random = New-Object System.Random
$CSV = @()
Get-QADUser -SearchRoot "mydomain/myOU" -SizeLimit 0 | ForEach-Object {
$password = "pwd"+($random.Next(1000,9999)) Set-QADUser $_ -UserPassword $password $exportdata = Get-QADUser $_ | Select-Object name Add-Member -InputObject $exportdata -MemberType NoteProperty -Name Password -Value $password
$CSV += $exportdata} $CSV | Export-Csv -Path "C:\temp\list.csv" -Encoding unicode -NoTypeInformation

Any advice would be a great help.

Thanks,
0
Comment
Question by:ITSCSomerset
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 12
  • 10
22 Comments
 
LVL 71

Accepted Solution

by:
Chris Dent earned 1000 total points
ID: 26282774

Two versions here.

The first is a limited modification of the script above to include line breaks and a change from $_ to $_.DN as the Identity for Set-QADUser.

The second compacts the current script somewhat (untested but should work, I hope).

Chris
# Initial Change (changed $_ to $_.DN as the Identity for Set-QADUser)

$random = New-Object System.Random
$CSV = @()
Get-QADUser -SearchRoot "mydomain/myOU" -SizeLimit 0 | ForEach-Object {
  $password = "pwd"+($random.Next(1000,9999)) 
  Set-QADUser $_.DN -UserPassword $password 
  $exportdata = Get-QADUser $_ | Select-Object name 
  Add-Member -InputObject $exportdata -MemberType NoteProperty -Name Password -Value $password
  $CSV += $exportdata
} $CSV | Export-Csv -Path "C:\temp\list.csv" -Encoding unicode -NoTypeInformation

# Simplified (Dropped the second Get-QADUser, Set-QADUser should output the same
# Switched Add-Member to a custom Property along with Select-Object.

$Random = New-Object System.Random
Get-QADUser -SearchRoot "mydomain/myOU" -SizeLimit 0 | %{
  $Password = "pwd$($Random.Next(1000, 9999))"
  Set-QADUser $_.DN -UserPassword $Password | Select-Object Name, @{n='Password';e={ $Password }}
} | Export-CSV -Path "C:\temp\list.csv" -Encoding Unicode -NoType

Open in new window

0
 

Author Comment

by:ITSCSomerset
ID: 26291309
Hi Chris,

I've had a go at using both the scripts you've posted but unfortunately neither of them seem to work for me! They both run without any errors but once it gets to the end of the final line nothing happens -  it's almost as though pshell is looking for another command to complete the script....any ideas as to why this might be happening? I've tried this on both DC's I have running too just in case there were any odd anomolies.
Thanks.
0
 
LVL 71

Assisted Solution

by:Chris Dent
Chris Dent earned 1000 total points
ID: 26291328

Hit return again, it leaves the script block open in case you want to add more, a double return should start it off.

Chris
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 71

Assisted Solution

by:Chris Dent
Chris Dent earned 1000 total points
ID: 26291347

Oh and neither will say anything, they'll either create the file or not. If you want to test it, having it output things to the screen, run the version below.

Just make sure "myOU" is something you can test on without causing trouble :)

Chris
$Random = New-Object System.Random
Get-QADUser -SearchRoot "mydomain/myOU" -SizeLimit 0 | %{
  $Password = "pwd$($Random.Next(1000, 9999))"
  Set-QADUser $_.DN -UserPassword $Password | Select-Object Name, @{n='Password';e={ $Password }}
}

Open in new window

0
 

Author Comment

by:ITSCSomerset
ID: 26291584
Hi Chris,
I ran your first script, hit a double return, ran the script and then recievied the error below:

 Cannot convert 'System.Object[]' to the type 'System.Management.Automation.ScriptBlock' required by parameter 'Process'. Specified method is not supported

Even though it errored the csv file was created but obviously it was blank due to the error (I'm new to pshell so still trying to get my head round its intricacies! ) Any other ideas at all?
Thanks.
0
 
LVL 71

Assisted Solution

by:Chris Dent
Chris Dent earned 1000 total points
ID: 26291636

Which version are you running?

I've fully tested this one in both PowerShell 1 and 2, no errors and output is generated as expected.

Chris
$Random = New-Object System.Random
Get-QADUser -SearchRoot "mydomain/myOU" -SizeLimit 0 | %{
  $Password = "pwd$($Random.Next(1000, 9999))"
  Set-QADUser $_.DN -UserPassword $Password | Select-Object Name, @{n='Password';e={ $Password }}
} | Export-CSV -Path "C:\temp\list.csv" -Encoding Unicode -NoType

Open in new window

0
 

Author Comment

by:ITSCSomerset
ID: 26291859
I'm running version 2 and I've tried the script above but am now getting a different error, the blank file is still created though:

Set-QADUser : The server is unwilling to process the request. (Exception from HRESULT: 0x80072035)
At line:3 char:14
Thanks.
0
 
LVL 71

Assisted Solution

by:Chris Dent
Chris Dent earned 1000 total points
ID: 26291866

Okay, getting there.

Do you have a password policy in place? None of these have cannot change password ticked?

Chris
0
 

Author Comment

by:ITSCSomerset
ID: 26291970
Hi Chris,
The only policy we have in place is when the user is created is to enter a default p/w with a minimum complexity requirement. I've checked all the users in the OU in question and no other options are ticked.
Thanks,.
0
 
LVL 71

Assisted Solution

by:Chris Dent
Chris Dent earned 1000 total points
ID: 26291988

The passwords you're assigning do not meet (default) complexity requirements. Remember you need 3 of 4 categories from the description of the complex password policy. Unless you're using a custom password filter?

The simplest way to make them comply is to change "pwd ... " to "Pwd ... ". Capitalising that first letter will deal with the default complexity filter.

Modified in code below :)

Chris
$Random = New-Object System.Random
Get-QADUser -SearchRoot "mydomain/myOU" -SizeLimit 0 | %{
  $Password = "Pwd$($Random.Next(1000, 9999))"
  Set-QADUser $_.DN -UserPassword $Password | Select-Object Name, @{n='Password';e={ $Password }}
} | Export-CSV -Path "C:\temp\list.csv" -Encoding Unicode -NoType

Open in new window

0
 

Author Comment

by:ITSCSomerset
ID: 26292651
Hi Chris, I've tried altering the phrase to read 'Pwd', reset the passwords on my users but to no avail - I even tried creating a brand new OU and a couple of users just to see what would happen but still no joy :(
0
 
LVL 71

Assisted Solution

by:Chris Dent
Chris Dent earned 1000 total points
ID: 26292708

We're onto Active Directory errors now, so at least the script part is syntactically correct.

I have to suspect password policies (considering the operation we're attempting). However, you might attempt something less secure to help verify that.

The snippet below resets the description of the accounts in that OU to a string suffixed with the randomly generated number.

If this works, but the other doesn't it suggests policy is preventing the change. If this one doesn't work either we'll need to think again.

Chris
$Random = New-Object System.Random
Get-QADUser -SearchRoot "mydomain/myOU" -SizeLimit 0 | %{
  $Description = "Some Description $($Random.Next(1000, 9999))"
  Set-QADUser $_.DN -Description $Description | Select-Object Name, Description
} | Export-CSV -Path "C:\temp\list.csv" -Encoding Unicode -NoType

Open in new window

0
 

Author Comment

by:ITSCSomerset
ID: 26293163
Hi Chris, I've given that a go and the snippet above works and populates the csv file with the names and description but when I run the previous script to generate the password I still get the same error (unless I've misunderstood your lasdt post!).  I will have a look into the password policies but I can't quite understand why the Pwd phrase wouldn't work.....hmm. :(
0
 
LVL 71

Assisted Solution

by:Chris Dent
Chris Dent earned 1000 total points
ID: 26293299

No you haven't misunderstood, that's good, in a way... it helps us isolate the problem :)

Okay, so next step, single user from that OU something like this:

Set-QADUser "SomeUsername" -Password "SomePassword1234"

Chris
0
 

Author Comment

by:ITSCSomerset
ID: 26293629
Yep, that's worked fine - tried it on a couple of users in thOU and logged them on with the new password without any problems.
Thanks
0
 
LVL 71

Assisted Solution

by:Chris Dent
Chris Dent earned 1000 total points
ID: 26293644

Okay, lets add a few bits back in. Try this one?

$Random = New-Object System.Random
$Password = "Pwd$($Random.Next(1000, 9999))"
Write-Host "Setting password: $Password"
Set-QADUser "SomeUsername" -Password $Password

Chris
0
 

Author Comment

by:ITSCSomerset
ID: 26293877
Ok, I ran the script which generated a password (Pwd2145 for example) but when I hit return after the Set-QADUser "SomeUsername" -Password $Password line then I get the same error as before.
0
 
LVL 71

Assisted Solution

by:Chris Dent
Chris Dent earned 1000 total points
ID: 26293914

Okay, so back a bit to a hard-coded password (we'll use the same one it just tried):

$Password = "Pwd2145"
Set-QADUser "SomeUsername" -Password $Password

Just to see if it's having problems with how the password is represented in PowerShell, or if it has a problem with the string we're using.

Chris
0
 

Author Comment

by:ITSCSomerset
ID: 26294086
I've gone back to the hard coded password and run the command again but I'm getting the 'Set-QADUser : The server is unwilling to process the request. (Exception from HRESULT: 0x80072035)' error still.
0
 
LVL 71

Assisted Solution

by:Chris Dent
Chris Dent earned 1000 total points
ID: 26294106

Goodie, so we can (hopefully) say now that the problem exists with the password we're using. Especially if changing the password it's setting to something else works (as we did above with "SomePassword1234").

The most likely candidate for that is security policy applied to the accounts. Is Complexity the only policy you have enabled? No length, minimum age, history restrictions?

Chris
0
 

Author Comment

by:ITSCSomerset
ID: 26294346
A-ha...I've cracked it - your last post made me realise I'd made a foolish oversight in that the password length in the scripts I've been running is 7 characters and our default policy requires 8. I've run the script again and now have one fully populated csv file with randomly generated 8 character passwords - logged on a couple of the users and all is working fine.

Thankyou ever so much for your help, it would've taken me an age to figure it out without your advice.

Thanks again.
0
 
LVL 71

Assisted Solution

by:Chris Dent
Chris Dent earned 1000 total points
ID: 26294378

You're welcome :)

Chris
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

My attempt to use PowerShell and other great resources found online to simplify the deployment of Office 365 ProPlus client components to any workstation that needs it, regardless of existing Office components that may be needing attention.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question