change user account control

Posted on 2011-02-14
Last Modified: 2012-05-11
I need a script that reads from a txt file (set of names) that i can drag and drop into a script that will enable Smart Card required. Can somebody help me with this please.

Thanks in advance
Question by:Skibo187
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4

Expert Comment

ID: 34891954
Can you be a bit more descriptive to what you need you question is not very clear.

Author Comment

ID: 34892375
I have a group of people that I need to have Smart Card is required for interactive logon. checked off, and I dont want to go thru each account and do it manually.So, I was wondering if anybody had a VB script that can check off Smart Card required on active directory for people accounts. Also, is there a way to have a  txt file with there names that i can drag into the script so it can read and make the changes for only those people accounts.

In other words, have a text file with peoples names whos accounts that need to be change. and drag it to the script so it can change Smart card logon.

Thanks again, hope this helps, let me know if you need any more input.

Author Comment

ID: 34910483
Here is a script that i found in this forum,and i am trying to do the same thing, I have to change several accounts in different OU, But not all of the same people in the same OU need Smart Card. One thing This script still wont work.

******************** Start Script *************************************************
Dim strFirstLetter ,strUName, intDo

'Change the first letter here
strFirstLetter = "M"

'Change the Domain name and OU here
Set objOU = GetObject _

For Each objUser In objOU
      strUName = objUser.Get("sn")
        intDo = 0
        intDo = Left(strUName,1)
      If intDo = strFirstLetter then
              intUAC = objUser.Get("userAccountControl")
                    If (intUAC AND ADS_UF_SMARTCARD_REQUIRED) = 0 Then
                                 objUser.Put "userAccountControl", intUAC XOR ADS_UF_SMARTCARD_REQUIRED
                     End If
            End If

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 13

Accepted Solution

Daz_1234 earned 500 total points
ID: 35236108

Please try the script below.

It requires an input file containing usernames (sAMAccountNames / NT Logon names), one per line.  If you drag the input file onto the script it will begin.

It will log to a file in the same folder as the script - the log will be called <scriptname>.log

The script must be run logged on as a user with permissions to edit user objects (obviously a domain admin will do).

PLEASE PLEASE PLEASE PLEASE PLEASE test on test user accounts first many times before attempting to use this script on live user accounts.

Good luck,

If WScript.Arguments.Count < 1 Then
    strFile = InputBox ("Enter the full path to the input file of usernames:", "Enter File Path")
    If strFile = "" Then WScript.Quit
    strFile = WScript.Arguments(0)
    MsgBox strFile,,"Input File:"
End If

Set fso = CreateObject("Scripting.FileSystemObject")
If Not fso.FileExists(strFile) Then
    MsgBox "Cannot find file '" & strFile & "'", vbCritical + vbSystemModal, "File not Found"
    WScript.Quit 1
End If

arrUsers = Split(fso.OpenTextFile(strFile, 1).ReadAll, vbCrlf)
strUsers = "¶" & Join(arrUsers, "¶") & "¶"

strCurrDir = Replace(WScript.ScriptFullName, WScript.ScriptName, "")
strLog = Replace(WScript.ScriptName, ".vbs", ".log")

Set tsLog = fso.OpenTextFile(strCurrDir & strLog, 8, True)
tsLog.WriteLine "### Starting Run at " & Now() & " ###"

'# ADO Init
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")
strConfig = objRootDSE.Get("configurationNamingContext")
Set objCommand = CreateObject("ADODB.Command")
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open = "ADProvider"
objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 100
objCommand.Properties("Timeout") = 900

strFilter = "(&(objectCategory=person))"

strAttributes = "distinguishedName,sAMAccountName, userAccountControl"

strBase = "<LDAP://" & strDNSDomain & ">"'
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
objCommand.CommandText = strQuery

Set objRecordSet = objCommand.Execute

blNone = True
Do Until objRecordSet.EOF
    strNTName = objRecordSet.Fields("sAMAccountName")
    If InStr(1, strUsers, "¶" & strNTName & "¶", 1) <> 0 Then
        strDN = objRecordSet.Fields("distinguishedName")
        dblUAC = objRecordSet.Fields("userAccountControl")
        If Not dblUAC And SMARTCARD_REQUIRED Then
            Set objUser = GetObject("LDAP://" & strDN)
            objUser.Put "userAccountControl", dblUAC + SMARTCARD_REQUIRED
            tsLog.WriteLine "Changing account '" & strNTName & "'"
            blNone = False
            tsLog.WriteLine "User '" & strNTName & "' checked: Already set Ok"
        End If
    End If


If blNone Then
    tsLog.WriteLine "No Accounts amended."
    MsgBox "No Accounts amended."
    MsgBox "Done!"
End If

Open in new window


Author Comment

ID: 35311367
Ok will try this in few hours, being really careful on this one...

Author Closing Comment

ID: 35328028

Excellent it worked...Thank u Very Much.....

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows Modify Permissions 19 66
2008 R2 unable to browse website but nslookup works 5 75
windows Server 2003 in 2017 10 76
Decommissioning DNS server question 3 37
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question