Solved

W2003 Server: check iuser status

Posted on 2010-09-03
11
513 Views
Last Modified: 2012-05-10
Hi EE,

On a W2003 server there is an ftp user whose credentials are intensively used in automated ftp scripts. That input is in turn used to populate sharepoints.
We had an issue with the ftp user being flagged "must change password at next logon". Reason unclear, this may have been some corporate measure, but as there is no warning you only learn after you are notified that certain processes got stuck.

Question:
Is there a way (through scriipt) to have the status of users checked?

Thanks.
0
Comment
Question by:Watnog
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
11 Comments
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33595628
What kind of check would you like to do? If IUSR has status "Must change password at next logon" ?

dsquery user -name IUSR* | dsget user -samid -mustchpwd
0
 

Author Comment

by:Watnog
ID: 33595732
Any status that would prevent automate logon.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33595788
ok, so this firts one allows you to check it someone wants to force password change on logon

this one checks if account is disabled

dsquery user -name IUSR* | dsget user -samid -disabled


set unlock account (if it is not locked nothing happens)

net user <IUSR_account> /DOMAIN /ACTIVE:YES

I think that's all which can prevent auto account logon
0
Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

 

Author Comment

by:Watnog
ID: 33595939
Thanks.
It works if I use it as you write it, but if I change from IUSR* to that particular user TWSftp this is returned....

C:\TWS>dsquery user -name TWSftp   | dsget user -samid -mustchpwd
dsget failed:`Target object for this command' is missing.
type dsget /? for help.
C:\TWS>dsquery user -name TWSftp   | dsget user -samid -disabled
dsget failed:`Target object for this command' is missing.
type dsget /? for help.
C:\TWS>net user TWSftp /BERD4AP12 /ACTIVE:YES
The option /BERD4AP12 is unknown.

The syntax of this command is:


NET USER
[username [password | *] [options]] [/DOMAIN]
         username {password | *} /ADD [options] [/DOMAIN]
         username [/DELETE] [/DOMAIN]

More help is available by typing NET HELPMSG 3506.


C:\TWS>PAUSE
Press any key to continue . . .


Thanks again for helping.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33599197
ok probably you use login not name, so correct syntax

dsquery user -samid TWSftp   | dsget user -samid -mustchpwd

dsquery user -samid TWSftp   | dsget user -samid -disabled

net user TWSftp /DOMAIN /ACTIVE:YES
-> in this case you shouldn't replace DOMAIN word by your domain name :) it's reserved word for each configuration (sorry I didn't mention)
0
 

Author Comment

by:Watnog
ID: 33610689
This is my bat file:

@ECHO ON
dsquery user -samid TWSftp   | dsget user -samid -mustchpwd
dsquery user -samid TWSftp   | dsget user -samid -disabled
net user TWSftp /DOMAIN /ACTIVE:YES
PAUSE

And this is what comes out...
C:\TWS>dsquery user -samid TWSftp     | dsget user -samid -mustchpwd
dsget failed:`Target object for this command' is missing.
type dsget /? for help.
C:\TWS>dsquery user -samid TWSftp     | dsget user -samid -disabled
dsget failed:`Target object for this command' is missing.
type dsget /? for help.
C:\TWS>net user TWSftp /DOMAIN /ACTIVE:YES
The request will be processed at a domain controller for domain xx.xxxxxxxxxx.com
The user name could not be found.
More help is available by typing NET HELPMSG 2221.
C:\TWS>PAUSE
Press any key to continue . . .

I replaced the domain name by x's.

Sorry this doesn't work out, it might be that the corporate environment is in the way or so?
That TWSftp user is defined on that particular server only, so is not in AD.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33610755
ok, TWSftp user is probably local user, so it won't work, am I right?
0
 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 250 total points
ID: 33610853
ok, I read the last sentence now. If it is local user, ds... commands don't work.

Now you should use on that particular server

net user TWSftp

and review entries:
- Account is active (should be yes)
- Account expires (should be never)
- Password last set
- Password expires

and other you only wish

Additionally you can force enable account by

net user TWSftp /ACTIVE:YES
0
 

Author Closing Comment

by:Watnog
ID: 33611900
Thanks, so simple you got mislead. I'm a newbie on W2003 management.
Can the 'user must change password at next logon' flag also be undone by any chance?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33613188
Ye, it has to be unchecked, because it causes that auto logon doesn't work. It waits until you press OK button and change the password. So, it definitively should be unchecked.
0
 

Author Comment

by:Watnog
ID: 33615678
Thanks again.
I finally settled with this vbs script that I make run every 6  hours, and does the job...

Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
strComputer = "servername"
strUser = "username"
Set objUser = GetObject("WinNT://" & strComputer & "/" & strUser & ",User")
objUserFlags = objUser.Get("UserFlags")
objPasswordExpirationFlag = objUserFlags OR ADS_UF_DONT_EXPIRE_PASSWD
objUser.Put "userFlags", objPasswordExpirationFlag
objUser.AccountDisabled = False
objUser.SetInfo
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question