• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1646
  • Last Modified:

Creating random passwords in AD using powershell

Hi there, I'm currently trying to create a csv file with randomly generated passwords for a set of users in a single OU but having a couple of issues. I'm using the quest cmdlets snap in and I think that the script I've pasted below should work but once I get to the 'set-qaduser' command, I get an error telling me that it's an unexpected token. Can anyone advise if I've missed something or got something wrong?!

$random = New-Object System.Random
$CSV = @()
Get-QADUser -SearchRoot "mydomain/myOU" -SizeLimit 0 | ForEach-Object {
$password = "pwd"+($random.Next(1000,9999)) Set-QADUser $_ -UserPassword $password $exportdata = Get-QADUser $_ | Select-Object name Add-Member -InputObject $exportdata -MemberType NoteProperty -Name Password -Value $password
$CSV += $exportdata} $CSV | Export-Csv -Path "C:\temp\list.csv" -Encoding unicode -NoTypeInformation

Any advice would be a great help.

Thanks,
0
ITSCSomerset
Asked:
ITSCSomerset
  • 12
  • 10
12 Solutions
 
Chris DentPowerShell DeveloperCommented:

Two versions here.

The first is a limited modification of the script above to include line breaks and a change from $_ to $_.DN as the Identity for Set-QADUser.

The second compacts the current script somewhat (untested but should work, I hope).

Chris
# Initial Change (changed $_ to $_.DN as the Identity for Set-QADUser)

$random = New-Object System.Random
$CSV = @()
Get-QADUser -SearchRoot "mydomain/myOU" -SizeLimit 0 | ForEach-Object {
  $password = "pwd"+($random.Next(1000,9999)) 
  Set-QADUser $_.DN -UserPassword $password 
  $exportdata = Get-QADUser $_ | Select-Object name 
  Add-Member -InputObject $exportdata -MemberType NoteProperty -Name Password -Value $password
  $CSV += $exportdata
} $CSV | Export-Csv -Path "C:\temp\list.csv" -Encoding unicode -NoTypeInformation

# Simplified (Dropped the second Get-QADUser, Set-QADUser should output the same
# Switched Add-Member to a custom Property along with Select-Object.

$Random = New-Object System.Random
Get-QADUser -SearchRoot "mydomain/myOU" -SizeLimit 0 | %{
  $Password = "pwd$($Random.Next(1000, 9999))"
  Set-QADUser $_.DN -UserPassword $Password | Select-Object Name, @{n='Password';e={ $Password }}
} | Export-CSV -Path "C:\temp\list.csv" -Encoding Unicode -NoType

Open in new window

0
 
ITSCSomersetAuthor Commented:
Hi Chris,

I've had a go at using both the scripts you've posted but unfortunately neither of them seem to work for me! They both run without any errors but once it gets to the end of the final line nothing happens -  it's almost as though pshell is looking for another command to complete the script....any ideas as to why this might be happening? I've tried this on both DC's I have running too just in case there were any odd anomolies.
Thanks.
0
 
Chris DentPowerShell DeveloperCommented:

Hit return again, it leaves the script block open in case you want to add more, a double return should start it off.

Chris
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
Chris DentPowerShell DeveloperCommented:

Oh and neither will say anything, they'll either create the file or not. If you want to test it, having it output things to the screen, run the version below.

Just make sure "myOU" is something you can test on without causing trouble :)

Chris
$Random = New-Object System.Random
Get-QADUser -SearchRoot "mydomain/myOU" -SizeLimit 0 | %{
  $Password = "pwd$($Random.Next(1000, 9999))"
  Set-QADUser $_.DN -UserPassword $Password | Select-Object Name, @{n='Password';e={ $Password }}
}

Open in new window

0
 
ITSCSomersetAuthor Commented:
Hi Chris,
I ran your first script, hit a double return, ran the script and then recievied the error below:

 Cannot convert 'System.Object[]' to the type 'System.Management.Automation.ScriptBlock' required by parameter 'Process'. Specified method is not supported

Even though it errored the csv file was created but obviously it was blank due to the error (I'm new to pshell so still trying to get my head round its intricacies! ) Any other ideas at all?
Thanks.
0
 
Chris DentPowerShell DeveloperCommented:

Which version are you running?

I've fully tested this one in both PowerShell 1 and 2, no errors and output is generated as expected.

Chris
$Random = New-Object System.Random
Get-QADUser -SearchRoot "mydomain/myOU" -SizeLimit 0 | %{
  $Password = "pwd$($Random.Next(1000, 9999))"
  Set-QADUser $_.DN -UserPassword $Password | Select-Object Name, @{n='Password';e={ $Password }}
} | Export-CSV -Path "C:\temp\list.csv" -Encoding Unicode -NoType

Open in new window

0
 
ITSCSomersetAuthor Commented:
I'm running version 2 and I've tried the script above but am now getting a different error, the blank file is still created though:

Set-QADUser : The server is unwilling to process the request. (Exception from HRESULT: 0x80072035)
At line:3 char:14
Thanks.
0
 
Chris DentPowerShell DeveloperCommented:

Okay, getting there.

Do you have a password policy in place? None of these have cannot change password ticked?

Chris
0
 
ITSCSomersetAuthor Commented:
Hi Chris,
The only policy we have in place is when the user is created is to enter a default p/w with a minimum complexity requirement. I've checked all the users in the OU in question and no other options are ticked.
Thanks,.
0
 
Chris DentPowerShell DeveloperCommented:

The passwords you're assigning do not meet (default) complexity requirements. Remember you need 3 of 4 categories from the description of the complex password policy. Unless you're using a custom password filter?

The simplest way to make them comply is to change "pwd ... " to "Pwd ... ". Capitalising that first letter will deal with the default complexity filter.

Modified in code below :)

Chris
$Random = New-Object System.Random
Get-QADUser -SearchRoot "mydomain/myOU" -SizeLimit 0 | %{
  $Password = "Pwd$($Random.Next(1000, 9999))"
  Set-QADUser $_.DN -UserPassword $Password | Select-Object Name, @{n='Password';e={ $Password }}
} | Export-CSV -Path "C:\temp\list.csv" -Encoding Unicode -NoType

Open in new window

0
 
ITSCSomersetAuthor Commented:
Hi Chris, I've tried altering the phrase to read 'Pwd', reset the passwords on my users but to no avail - I even tried creating a brand new OU and a couple of users just to see what would happen but still no joy :(
0
 
Chris DentPowerShell DeveloperCommented:

We're onto Active Directory errors now, so at least the script part is syntactically correct.

I have to suspect password policies (considering the operation we're attempting). However, you might attempt something less secure to help verify that.

The snippet below resets the description of the accounts in that OU to a string suffixed with the randomly generated number.

If this works, but the other doesn't it suggests policy is preventing the change. If this one doesn't work either we'll need to think again.

Chris
$Random = New-Object System.Random
Get-QADUser -SearchRoot "mydomain/myOU" -SizeLimit 0 | %{
  $Description = "Some Description $($Random.Next(1000, 9999))"
  Set-QADUser $_.DN -Description $Description | Select-Object Name, Description
} | Export-CSV -Path "C:\temp\list.csv" -Encoding Unicode -NoType

Open in new window

0
 
ITSCSomersetAuthor Commented:
Hi Chris, I've given that a go and the snippet above works and populates the csv file with the names and description but when I run the previous script to generate the password I still get the same error (unless I've misunderstood your lasdt post!).  I will have a look into the password policies but I can't quite understand why the Pwd phrase wouldn't work.....hmm. :(
0
 
Chris DentPowerShell DeveloperCommented:

No you haven't misunderstood, that's good, in a way... it helps us isolate the problem :)

Okay, so next step, single user from that OU something like this:

Set-QADUser "SomeUsername" -Password "SomePassword1234"

Chris
0
 
ITSCSomersetAuthor Commented:
Yep, that's worked fine - tried it on a couple of users in thOU and logged them on with the new password without any problems.
Thanks
0
 
Chris DentPowerShell DeveloperCommented:

Okay, lets add a few bits back in. Try this one?

$Random = New-Object System.Random
$Password = "Pwd$($Random.Next(1000, 9999))"
Write-Host "Setting password: $Password"
Set-QADUser "SomeUsername" -Password $Password

Chris
0
 
ITSCSomersetAuthor Commented:
Ok, I ran the script which generated a password (Pwd2145 for example) but when I hit return after the Set-QADUser "SomeUsername" -Password $Password line then I get the same error as before.
0
 
Chris DentPowerShell DeveloperCommented:

Okay, so back a bit to a hard-coded password (we'll use the same one it just tried):

$Password = "Pwd2145"
Set-QADUser "SomeUsername" -Password $Password

Just to see if it's having problems with how the password is represented in PowerShell, or if it has a problem with the string we're using.

Chris
0
 
ITSCSomersetAuthor Commented:
I've gone back to the hard coded password and run the command again but I'm getting the 'Set-QADUser : The server is unwilling to process the request. (Exception from HRESULT: 0x80072035)' error still.
0
 
Chris DentPowerShell DeveloperCommented:

Goodie, so we can (hopefully) say now that the problem exists with the password we're using. Especially if changing the password it's setting to something else works (as we did above with "SomePassword1234").

The most likely candidate for that is security policy applied to the accounts. Is Complexity the only policy you have enabled? No length, minimum age, history restrictions?

Chris
0
 
ITSCSomersetAuthor Commented:
A-ha...I've cracked it - your last post made me realise I'd made a foolish oversight in that the password length in the scripts I've been running is 7 characters and our default policy requires 8. I've run the script again and now have one fully populated csv file with randomly generated 8 character passwords - logged on a couple of the users and all is working fine.

Thankyou ever so much for your help, it would've taken me an age to figure it out without your advice.

Thanks again.
0
 
Chris DentPowerShell DeveloperCommented:

You're welcome :)

Chris
0

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

  • 12
  • 10
Tackle projects and never again get stuck behind a technical roadblock.
Join Now