Solved

W2003 Server: check iuser status

Posted on 2010-09-03
11
509 Views
Last Modified: 2012-05-10
Hi EE,

On a W2003 server there is an ftp user whose credentials are intensively used in automated ftp scripts. That input is in turn used to populate sharepoints.
We had an issue with the ftp user being flagged "must change password at next logon". Reason unclear, this may have been some corporate measure, but as there is no warning you only learn after you are notified that certain processes got stuck.

Question:
Is there a way (through scriipt) to have the status of users checked?

Thanks.
0
Comment
Question by:Watnog
  • 6
  • 5
11 Comments
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33595628
What kind of check would you like to do? If IUSR has status "Must change password at next logon" ?

dsquery user -name IUSR* | dsget user -samid -mustchpwd
0
 

Author Comment

by:Watnog
ID: 33595732
Any status that would prevent automate logon.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33595788
ok, so this firts one allows you to check it someone wants to force password change on logon

this one checks if account is disabled

dsquery user -name IUSR* | dsget user -samid -disabled


set unlock account (if it is not locked nothing happens)

net user <IUSR_account> /DOMAIN /ACTIVE:YES

I think that's all which can prevent auto account logon
0
 

Author Comment

by:Watnog
ID: 33595939
Thanks.
It works if I use it as you write it, but if I change from IUSR* to that particular user TWSftp this is returned....

C:\TWS>dsquery user -name TWSftp   | dsget user -samid -mustchpwd
dsget failed:`Target object for this command' is missing.
type dsget /? for help.
C:\TWS>dsquery user -name TWSftp   | dsget user -samid -disabled
dsget failed:`Target object for this command' is missing.
type dsget /? for help.
C:\TWS>net user TWSftp /BERD4AP12 /ACTIVE:YES
The option /BERD4AP12 is unknown.

The syntax of this command is:


NET USER
[username [password | *] [options]] [/DOMAIN]
         username {password | *} /ADD [options] [/DOMAIN]
         username [/DELETE] [/DOMAIN]

More help is available by typing NET HELPMSG 3506.


C:\TWS>PAUSE
Press any key to continue . . .


Thanks again for helping.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33599197
ok probably you use login not name, so correct syntax

dsquery user -samid TWSftp   | dsget user -samid -mustchpwd

dsquery user -samid TWSftp   | dsget user -samid -disabled

net user TWSftp /DOMAIN /ACTIVE:YES
-> in this case you shouldn't replace DOMAIN word by your domain name :) it's reserved word for each configuration (sorry I didn't mention)
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:Watnog
ID: 33610689
This is my bat file:

@ECHO ON
dsquery user -samid TWSftp   | dsget user -samid -mustchpwd
dsquery user -samid TWSftp   | dsget user -samid -disabled
net user TWSftp /DOMAIN /ACTIVE:YES
PAUSE

And this is what comes out...
C:\TWS>dsquery user -samid TWSftp     | dsget user -samid -mustchpwd
dsget failed:`Target object for this command' is missing.
type dsget /? for help.
C:\TWS>dsquery user -samid TWSftp     | dsget user -samid -disabled
dsget failed:`Target object for this command' is missing.
type dsget /? for help.
C:\TWS>net user TWSftp /DOMAIN /ACTIVE:YES
The request will be processed at a domain controller for domain xx.xxxxxxxxxx.com
The user name could not be found.
More help is available by typing NET HELPMSG 2221.
C:\TWS>PAUSE
Press any key to continue . . .

I replaced the domain name by x's.

Sorry this doesn't work out, it might be that the corporate environment is in the way or so?
That TWSftp user is defined on that particular server only, so is not in AD.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33610755
ok, TWSftp user is probably local user, so it won't work, am I right?
0
 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 250 total points
ID: 33610853
ok, I read the last sentence now. If it is local user, ds... commands don't work.

Now you should use on that particular server

net user TWSftp

and review entries:
- Account is active (should be yes)
- Account expires (should be never)
- Password last set
- Password expires

and other you only wish

Additionally you can force enable account by

net user TWSftp /ACTIVE:YES
0
 

Author Closing Comment

by:Watnog
ID: 33611900
Thanks, so simple you got mislead. I'm a newbie on W2003 management.
Can the 'user must change password at next logon' flag also be undone by any chance?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33613188
Ye, it has to be unchecked, because it causes that auto logon doesn't work. It waits until you press OK button and change the password. So, it definitively should be unchecked.
0
 

Author Comment

by:Watnog
ID: 33615678
Thanks again.
I finally settled with this vbs script that I make run every 6  hours, and does the job...

Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
strComputer = "servername"
strUser = "username"
Set objUser = GetObject("WinNT://" & strComputer & "/" & strUser & ",User")
objUserFlags = objUser.Get("UserFlags")
objPasswordExpirationFlag = objUserFlags OR ADS_UF_DONT_EXPIRE_PASSWD
objUser.Put "userFlags", objPasswordExpirationFlag
objUser.AccountDisabled = False
objUser.SetInfo
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

The HP utility "HP Lights-Out Online Configuration Utility for Windows Server 2003/2008" could be of great use when it comes to remotely configure a HP servers ILO WITHOUT rebooting the server. We would only need to create and run scripts using thi…
This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now