change user account control

Posted on 2011-02-14
Medium Priority
Last Modified: 2012-05-11
I need a script that reads from a txt file (set of names) that i can drag and drop into a script that will enable Smart Card required. Can somebody help me with this please.

Thanks in advance
Question by:Skibo187
  • 4

Expert Comment

ID: 34891954
Can you be a bit more descriptive to what you need you question is not very clear.

Author Comment

ID: 34892375
I have a group of people that I need to have Smart Card is required for interactive logon. checked off, and I dont want to go thru each account and do it manually.So, I was wondering if anybody had a VB script that can check off Smart Card required on active directory for people accounts. Also, is there a way to have a  txt file with there names that i can drag into the script so it can read and make the changes for only those people accounts.

In other words, have a text file with peoples names whos accounts that need to be change. and drag it to the script so it can change Smart card logon.

Thanks again, hope this helps, let me know if you need any more input.

Author Comment

ID: 34910483
Here is a script that i found in this forum,and i am trying to do the same thing, I have to change several accounts in different OU, But not all of the same people in the same OU need Smart Card. One thing This script still wont work.


******************** Start Script *************************************************
Dim strFirstLetter ,strUName, intDo

'Change the first letter here
strFirstLetter = "M"

'Change the Domain name and OU here
Set objOU = GetObject _

For Each objUser In objOU
      strUName = objUser.Get("sn")
        intDo = 0
        intDo = Left(strUName,1)
      If intDo = strFirstLetter then
              intUAC = objUser.Get("userAccountControl")
                    If (intUAC AND ADS_UF_SMARTCARD_REQUIRED) = 0 Then
                                 objUser.Put "userAccountControl", intUAC XOR ADS_UF_SMARTCARD_REQUIRED
                     End If
            End If

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

LVL 13

Accepted Solution

Daz_1234 earned 2000 total points
ID: 35236108

Please try the script below.

It requires an input file containing usernames (sAMAccountNames / NT Logon names), one per line.  If you drag the input file onto the script it will begin.

It will log to a file in the same folder as the script - the log will be called <scriptname>.log

The script must be run logged on as a user with permissions to edit user objects (obviously a domain admin will do).

PLEASE PLEASE PLEASE PLEASE PLEASE test on test user accounts first many times before attempting to use this script on live user accounts.

Good luck,

If WScript.Arguments.Count < 1 Then
    strFile = InputBox ("Enter the full path to the input file of usernames:", "Enter File Path")
    If strFile = "" Then WScript.Quit
    strFile = WScript.Arguments(0)
    MsgBox strFile,,"Input File:"
End If

Set fso = CreateObject("Scripting.FileSystemObject")
If Not fso.FileExists(strFile) Then
    MsgBox "Cannot find file '" & strFile & "'", vbCritical + vbSystemModal, "File not Found"
    WScript.Quit 1
End If

arrUsers = Split(fso.OpenTextFile(strFile, 1).ReadAll, vbCrlf)
strUsers = "¶" & Join(arrUsers, "¶") & "¶"

strCurrDir = Replace(WScript.ScriptFullName, WScript.ScriptName, "")
strLog = Replace(WScript.ScriptName, ".vbs", ".log")

Set tsLog = fso.OpenTextFile(strCurrDir & strLog, 8, True)
tsLog.WriteLine "### Starting Run at " & Now() & " ###"

'# ADO Init
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")
strConfig = objRootDSE.Get("configurationNamingContext")
Set objCommand = CreateObject("ADODB.Command")
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open = "ADProvider"
objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 100
objCommand.Properties("Timeout") = 900

strFilter = "(&(objectCategory=person))"

strAttributes = "distinguishedName,sAMAccountName, userAccountControl"

strBase = "<LDAP://" & strDNSDomain & ">"'
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
objCommand.CommandText = strQuery

Set objRecordSet = objCommand.Execute

blNone = True
Do Until objRecordSet.EOF
    strNTName = objRecordSet.Fields("sAMAccountName")
    If InStr(1, strUsers, "¶" & strNTName & "¶", 1) <> 0 Then
        strDN = objRecordSet.Fields("distinguishedName")
        dblUAC = objRecordSet.Fields("userAccountControl")
        If Not dblUAC And SMARTCARD_REQUIRED Then
            Set objUser = GetObject("LDAP://" & strDN)
            objUser.Put "userAccountControl", dblUAC + SMARTCARD_REQUIRED
            tsLog.WriteLine "Changing account '" & strNTName & "'"
            blNone = False
            tsLog.WriteLine "User '" & strNTName & "' checked: Already set Ok"
        End If
    End If


If blNone Then
    tsLog.WriteLine "No Accounts amended."
    MsgBox "No Accounts amended."
    MsgBox "Done!"
End If

Open in new window


Author Comment

ID: 35311367
Ok will try this in few hours, being really careful on this one...

Author Closing Comment

ID: 35328028

Excellent it worked...Thank u Very Much.....

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question