Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

W2003 Server: check iuser status

Posted on 2010-09-03
11
512 Views
Last Modified: 2012-05-10
Hi EE,

On a W2003 server there is an ftp user whose credentials are intensively used in automated ftp scripts. That input is in turn used to populate sharepoints.
We had an issue with the ftp user being flagged "must change password at next logon". Reason unclear, this may have been some corporate measure, but as there is no warning you only learn after you are notified that certain processes got stuck.

Question:
Is there a way (through scriipt) to have the status of users checked?

Thanks.
0
Comment
Question by:Watnog
  • 6
  • 5
11 Comments
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33595628
What kind of check would you like to do? If IUSR has status "Must change password at next logon" ?

dsquery user -name IUSR* | dsget user -samid -mustchpwd
0
 

Author Comment

by:Watnog
ID: 33595732
Any status that would prevent automate logon.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33595788
ok, so this firts one allows you to check it someone wants to force password change on logon

this one checks if account is disabled

dsquery user -name IUSR* | dsget user -samid -disabled


set unlock account (if it is not locked nothing happens)

net user <IUSR_account> /DOMAIN /ACTIVE:YES

I think that's all which can prevent auto account logon
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 

Author Comment

by:Watnog
ID: 33595939
Thanks.
It works if I use it as you write it, but if I change from IUSR* to that particular user TWSftp this is returned....

C:\TWS>dsquery user -name TWSftp   | dsget user -samid -mustchpwd
dsget failed:`Target object for this command' is missing.
type dsget /? for help.
C:\TWS>dsquery user -name TWSftp   | dsget user -samid -disabled
dsget failed:`Target object for this command' is missing.
type dsget /? for help.
C:\TWS>net user TWSftp /BERD4AP12 /ACTIVE:YES
The option /BERD4AP12 is unknown.

The syntax of this command is:


NET USER
[username [password | *] [options]] [/DOMAIN]
         username {password | *} /ADD [options] [/DOMAIN]
         username [/DELETE] [/DOMAIN]

More help is available by typing NET HELPMSG 3506.


C:\TWS>PAUSE
Press any key to continue . . .


Thanks again for helping.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33599197
ok probably you use login not name, so correct syntax

dsquery user -samid TWSftp   | dsget user -samid -mustchpwd

dsquery user -samid TWSftp   | dsget user -samid -disabled

net user TWSftp /DOMAIN /ACTIVE:YES
-> in this case you shouldn't replace DOMAIN word by your domain name :) it's reserved word for each configuration (sorry I didn't mention)
0
 

Author Comment

by:Watnog
ID: 33610689
This is my bat file:

@ECHO ON
dsquery user -samid TWSftp   | dsget user -samid -mustchpwd
dsquery user -samid TWSftp   | dsget user -samid -disabled
net user TWSftp /DOMAIN /ACTIVE:YES
PAUSE

And this is what comes out...
C:\TWS>dsquery user -samid TWSftp     | dsget user -samid -mustchpwd
dsget failed:`Target object for this command' is missing.
type dsget /? for help.
C:\TWS>dsquery user -samid TWSftp     | dsget user -samid -disabled
dsget failed:`Target object for this command' is missing.
type dsget /? for help.
C:\TWS>net user TWSftp /DOMAIN /ACTIVE:YES
The request will be processed at a domain controller for domain xx.xxxxxxxxxx.com
The user name could not be found.
More help is available by typing NET HELPMSG 2221.
C:\TWS>PAUSE
Press any key to continue . . .

I replaced the domain name by x's.

Sorry this doesn't work out, it might be that the corporate environment is in the way or so?
That TWSftp user is defined on that particular server only, so is not in AD.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33610755
ok, TWSftp user is probably local user, so it won't work, am I right?
0
 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 250 total points
ID: 33610853
ok, I read the last sentence now. If it is local user, ds... commands don't work.

Now you should use on that particular server

net user TWSftp

and review entries:
- Account is active (should be yes)
- Account expires (should be never)
- Password last set
- Password expires

and other you only wish

Additionally you can force enable account by

net user TWSftp /ACTIVE:YES
0
 

Author Closing Comment

by:Watnog
ID: 33611900
Thanks, so simple you got mislead. I'm a newbie on W2003 management.
Can the 'user must change password at next logon' flag also be undone by any chance?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33613188
Ye, it has to be unchecked, because it causes that auto logon doesn't work. It waits until you press OK button and change the password. So, it definitively should be unchecked.
0
 

Author Comment

by:Watnog
ID: 33615678
Thanks again.
I finally settled with this vbs script that I make run every 6  hours, and does the job...

Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
strComputer = "servername"
strUser = "username"
Set objUser = GetObject("WinNT://" & strComputer & "/" & strUser & ",User")
objUserFlags = objUser.Get("UserFlags")
objPasswordExpirationFlag = objUserFlags OR ADS_UF_DONT_EXPIRE_PASSWD
objUser.Put "userFlags", objPasswordExpirationFlag
objUser.AccountDisabled = False
objUser.SetInfo
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question