Solved

Powershell script to reset user passwords in Windows and Linux

Posted on 2011-02-10
5
952 Views
Last Modified: 2012-05-11
Experts,

       We have a configuration of MS AD and Linux authenticating using Samba, Winbind with PAM and NSS all configured on our network. What capabilities does this give me with managing Linux user accounts with AD? I read an article that discusses the authentication to AD using Winbind however Group policy is not available - as of yet. Does this mean I cannot have a Powershell script to reset user passwords on XP boxes and Linux boxes? What are the capabilities of administration on this setup?

THanks, Missymadi
0
Comment
Question by:missymadi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 22

Expert Comment

by:dan_blagut
ID: 34869598
Hello

Well I resolved a situation like this on the other side.
We started with an LDAP and we made the syncro with AD. All users change the passwords using a web page that do both changes (in LDAP and AD)
You can modify the page to allow a your desk support to change the passwords.

Dan
0
 

Author Comment

by:missymadi
ID: 34872117
Could I have a little more information on how you accomplished this issue? Maybe some steps to follow to achieve the password sync?
0
 
LVL 22

Expert Comment

by:dan_blagut
ID: 34872454
Well the users use a php page that do the change in LDAP. In that page we aded one line of code that launch a vbs script on a ssh server. In the parameters of the vbs on put the user name and the password.
On the Windows controller we implemented an ssh server that accept certificate authentication. That allow to execute the vbs as administrator without password and deny all other connexions.
Like that the password is sent using a secure way (ssh cripted channel).
On the AD users can't change the password and we deactivated all tests on the passwords, except the expiration timeout. But when the password is expired, the user must call tech support.
If you need the vbs script I can send it to you, but is a basic password change script.
And we also keeped all user management on the LDAP side (site changes, passwords changes, user creation and user deletion)

Dan
0
 

Author Comment

by:missymadi
ID: 34874452
Yes, could you please forward the script.

Thank you,
Missymadi
0
 
LVL 22

Accepted Solution

by:
dan_blagut earned 500 total points
ID: 34877373
You have here the scripts:

the target domain is : domain.local
the first password for a new user is P@ssw0rd

Dan

'Change password

Set objArgs = WScript.Arguments
' parametres: 0Site 1LastName 2FirstName 3passwd 
longname="cn="&objArgs(2)&" "&objArgs(1)
Set objUser = GetObject _
 ("LDAP://"&longname&",ou=Users,ou="&objArgs(0)&",dc=domain,dc=local")
objUser.SetPassword objArgs(3)

WScript.quit

'delete user



Set objArgs = WScript.Arguments
' parametres: 0Site 1LastName 2FirstName 3uid 4e-mail 
longname="cn="&objArgs(2)&" "&objArgs(1)
Set objOU = GetObject("LDAP://OU=Users,OU="&objArgs(0)&",dc=domain,dc=local")
objOU.Delete "User", longname

WScript.quit

'create user



Set objArgs = WScript.Arguments
' parametres: 0Site 1LastName 2FirstName 3uid 4e-mail 
longname="cn="&objArgs(2)&" "&objArgs(1)

Set objOU = GetObject("LDAP://OU=Users,OU="&objArgs(0)&",dc=domain,dc=local")
Set objUser = objOU.Create("User", longname)
objUser.Put "sAMAccountName", objArgs(3)
objUser.Put "mail", objArgs(4)
objUser.Put "physicalDeliveryOfficeName",objArgs(0)
objUser.SetInfo

objUser.SetPassword "P@ssw0rd"
objUser.AccountDisabled = False

objUser.SetInfo



WScript.quit

Open in new window

0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question