Solved

How can I automate re-mapping of shares after a password change?

Posted on 2013-01-22
25
466 Views
Last Modified: 2013-01-31
Okay, so here's the scenario:

Non-domain Windows 7 computer, accessing AD domain shares with a valid AD account.
Shares are mapped with the "use other credentials" option.
Now when the user has to change p/w for the domain, the computer is still storing the users old credentials. So after the password change, the computer still tries to pass the old credentials and this locks out the users account due based on the 3 bad attempts security feature in AD.
* Note, I have no control over the AD settings for the domain where this PC is stationed.

While I could probably create a walk-through for the users to disconnect and re-map their shares, I would prefer to automate this if I can.

* if there is a better way than the following to deal with the situation then let me know.

So my current train of thought is to try and use some batch files to simplify the process.
I know I can use NET USE to delete and then re-map the shares, but I'm not sure how to pass the new password to the commands.
My understanding of the NET USE command is that unless you specify the credentials, it will attempt to pass current logged on user creds, and if they don't match the domain, it fails, so it will not prompt for valid (new) creds.

I'm thinking there is a way to ask for and pass the new password to the batch file, but I can't find what it is. My programming skills are very low, sorry.
I've seen several variations on scripts that ask for input and then put that into a variable, but I'm not seeing how I safely insert it into the middle of a command.

Thanks!
0
Comment
Question by:rstevens56
  • 7
  • 6
  • 5
  • +2
25 Comments
 
LVL 13

Expert Comment

by:Gabriel Clifton
ID: 38806221
Let's say the mapped drive is X. Just put net use /d x: in a batch script and set it as a computer startup script.
0
 

Author Comment

by:rstevens56
ID: 38810040
That only deletes the shares, I need to remap them with the new credentials.
0
 
LVL 13

Expert Comment

by:Gabriel Clifton
ID: 38810131
OK, next line

net use X: "\\server\share" /USER:Domain\Username password /savecred /persistent:yes
0
 

Author Comment

by:rstevens56
ID: 38810411
Right, but I won't have their password, so I can't hard code it into the script, because they will have just changed it. So I need the script to prompt them for it, and then supply it to the script.
0
 
LVL 13

Expert Comment

by:Gabriel Clifton
ID: 38810577
without /USER:Domain\Username password /savecred should apply it with current user profile and password automatically

net use X: "\\server\share" /persistent:yes

without the password would prompt for password

net use X: "\\server\share" /USER:Domain\Username /savecred /persistent:yes
0
 

Author Comment

by:rstevens56
ID: 38811315
So I tried the command as you have it, and I get the error:
"A command was used with conflicting switches"
I removed the /savecred switch and it does prompt for the password. So that's a start.

I would still prefer to script it so it only asks for the password the one time, usually they have shares on 2-3 servers and each one would prompt for the password.
0
 
LVL 13

Expert Comment

by:Gabriel Clifton
ID: 38811364
Have you tried it without credentials

net use X: "\\server\share" /persistent:yes
0
 

Author Comment

by:rstevens56
ID: 38814198
If you don't specify credentials, it assumes the currently logged on user, which in my case is just a local machine account, not a domain account, so that attempt would automatically fail.

So the solution I need is to have a script that prompts the user for their new password, and inserts it into the net use command for me.
0
 
LVL 13

Expert Comment

by:Gabriel Clifton
ID: 38814223
Ok try it without the password or save cred.

net use X: "\\server\share" /USER:Domain\Username /persistent:yes
0
 
LVL 76

Expert Comment

by:arnold
ID: 38825650
You can not script something where information is changing especially where you have no control over the info.

Control keymgr.dll

Is a way to store credentials. The user could update those when they update their AD credentials.
0
 
LVL 32

Accepted Solution

by:
Robberbaron (robr) earned 500 total points
ID: 38825802
try this vbscript version.

1. save as a relogon.VBS file
2. open command prompt and type  
cscript relogon.vbs

Open in new window

it asks for both the userid and password.  userid could be hardcoded if desired.

Dim objNetwork
Set objNetwork = WScript.CreateObject("WScript.Network")

dim bPersist,sUser,sPassword
bPersist = True  'persist logon between sessions ?

'-----------get inputs ------
do while sUser=""
  sUser = InputBox("Type in your username","Recreate network shares")
loop

do while sPassWord=""
  sPassWord = InputBox("Type in your username","Recreate network shares")
loop
'----- done inputs, dont accept blank ---

'---map the drives
MapDriveShare "U:","\\Diskstation\backup_zone",False, sUser, sPassword

MapDriveShare "Q:","\\myserver\share2",True, sUser, sPassword

'quit
Wscript.Quit
'-------------------
Sub MapDriveShare(DrvLetter, remoteUNC, PersistShare, User, Pwd)
  on error resume next
  objNetwork.RemoveNetworkDrive DrvLetter,True,True
  objNetwork.MapNetworkDrive DrvLetter, remoteUNC, PersistShare, User, Pwd
End Sub

Open in new window


tested to work on my home network.  Q: fails to be mapped naturally.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 32

Expert Comment

by:Robberbaron (robr)
ID: 38825806
main advantage of vbscript over batch is the ability to get user input and test it.

the
cscript relogon.vbs

Open in new window

can be placed in a batch file to make calling the script easier.
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 38826238
Hi, by the sound of it, I think the cmdkey.exe tool is going to be useful here.

When you "save" the credentials to a shared drive, the server is treated as a "resource".  cmdkey.exe allows you to store passwords for resources, the same that are entered in the user accounts management console.  You can open the Control Panel, and search for the "Credential Manager".

To see the same details with cmdkey.exe, at a command prompt, type
cmdkey /list

So, to modify the password for you servers, type
cmdkey /add:adservername /user:yourusername /pass:yourpassword

Running this each time your password changes should allow the servers to be reconnected.

Regards,

Rob.
0
 

Author Comment

by:rstevens56
ID: 38832411
@robberbaron:

Okay, that looks like what I might be looking for. But I don't know vbscript.
The username will be static, so how do I statically assign the username?
And on the two different map commands you have, one has a true in it, and the other a false, what is that for?
0
 
LVL 76

Expert Comment

by:arnold
ID: 38833273
The username is known to the system as %USERNAME% in the environment.
0
 
LVL 32

Expert Comment

by:Robberbaron (robr)
ID: 38835010
1. %USERNAME% is the local user, you may want to conenct drives using an account on the server. eg domainuser

2. for static userid replace
'-----------get inputs ------
do while sUser=""
  sUser = InputBox("Type in your username","Recreate network shares")
loop

Open in new window


with
'-----------get inputs ------
sUser="WhoKnows"

Open in new window


3. that variable in the Map function represents the PersistShare parameter.  ie do you want to automatically reconnect on next restart or logon.  i suspect you want that to be True.
0
 
LVL 76

Expert Comment

by:arnold
ID: 38835104
The problem that is implicit in the asker's question deals with the request/requirement that the user be prompted nly once when the credentials expire rather than every time they login and the drives are mapped.

The possible inclusion of a test to check for the mapped drive and in its absence, prompt the user as was provided in prior comments.  However, the absence of a VPN connection would also trigger these prompts.

The problem though, a that the AD account will be locked prior to the detection mechanism and remapping/prompting for new credentials will be attempted.

Possibly incorporating the mapping as a login/startup script as a substitute to persistent mapping.
This way the script can on the first attempt detect that the credentials have changed (taking into account that the check should include a determination whether the system is on the corporate LAN or VPN is active before prompting the user for new credentials where the credentials need to be stored in encrypted form.)
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 38838815
What about using CmdKey.exe, or even the manual GUI of "Credential Manager"?  If you just change the password for the resources whenever the AD password changes, it should work fine....
0
 
LVL 76

Expert Comment

by:arnold
ID: 38839253
The asker wants the transition/update "automatic" and without the account getting locked by a DC following to many failed auth attempts.
0
 

Author Comment

by:rstevens56
ID: 38840365
@arnold, I wouldn't say "automatic" so much as "automated" because I have to prompt the user for their new password.  But otherwise you are correct.
@robsampon, what arnold said. But I am thankful to have learned about CmdKey from you, that will be useful later.

So I have succefully modified the script that Robberbaron provided and it successfully mapped the drives, but when checked persistence with a reboot, the account got locked out for some reason, I'm looking into that, but since it's not my domain, I can't look into the security logs. So I will have to wait on that.

My objective with this post was to get a script that would do the mapping, so I am considering this questioned "answered" by robberbaron.

Thank you everyone for your help.
0
 
LVL 76

Expert Comment

by:arnold
ID: 38840474
As long as the mapping is automatic/persisten. Upon logon the mapping will be attempted until the account is locked out.  This is why I suggested you use the script provided to attempt a mapping. if it fails you can presume that the credentials are invalid and prompt the user for the new credentials.
You must take all other suggestions into account. i.e. the system if mobile is not on the LAN, and a VPN is not established.

Test whether a manual mapping
net use X: \\remoteserver\remoteshare password /user:addomain\user
is seen as a single attempt that responds with an error invalid credentials.
if prompted for reentering of credentials/password, do not respond ctrl-C
or whether this single attempt will lock the account as well.
Usually 5 failed attempts within a short period of time is the common lockout policy.
0
 

Author Comment

by:rstevens56
ID: 38840915
-Arnold, okay, let's back up, I'm not sure if we are on the same page.

In my scenario, the script will not be a logon script, the script will be run manually only as needed about once a month. It will be run via a batch file sitting on the users desktop.

But before that, the user will have run a batch file to disconnect all current shares, that's easy. So now they have no shares of any kind.
Next they will use a website to conduct a password change. (Remember the computer they are on is NOT on the domain)
Then they will run the script I am building to request their new password and then re-map the drives accordingly.

note: They are not using a VPN, they are directly connected to the physical network, just not a member of the Domain.

So yesterday I ran a test...
At the time there were no shares existing on the PC
So I ran the listed script (from robberbaron) and it successfully mapped all 3 of the shares I had in the script.
But when I rebooted the computer to check for persistence, somewhere during the login, the domain account got locked out, so the mappings had retained persistence, but somehow something caused the domain account to get locked out.

Am I misunderstanding what you are saying? Cause it sounds like you are referring to having this script run as a logon script, and I'm not looking to do that.
0
 
LVL 76

Expert Comment

by:arnold
ID: 38841034
I understand what you want to achieve.
1) a user always gets access to a mapped set of drives on a workgroup computer to a share fom an AD member with AD credentials
2) since the user must update their AD credentials every so often, you want the mapping to prompt the user for the new credentials  (presumably you would like this change to occur without the account locking out.)

The use of the keymgr.dll and a script at the same time.  My guess is that on reboot the credentials stored in the keystore were used and being incorrect, locked the account.

Setting the combination of the scripts provided as a logon could achieve a mechanism where the user has minimal interaction and the issue will be transparent/automatic.
http://stackoverflow.com/questions/7663219/how-to-authenticate-an-user-in-activedirectory-with-powershell

The username/password would need to be stored in a "secure"
http://www.techrepublic.com/blog/networking/powershell-code-to-store-user-credentials-encrypted-for-re-use/5817
http://stackoverflow.com/questions/6239647/using-powershell-credentials-without-being-prompted-for-a-password
Ref items dealing with storing the credentials in a secure way i.e. some using an encrypt/decrypt another uses a one way encryption.
0

Featured Post

Want to promote your upcoming event?

Are you going to an event? Are you going to be exhibiting at a tradeshow? Talking at a conference? Using a promotional banner in your email signature ensures that your organization’s most important contacts stay in the know and can potentially spread the word about the event.

Join & Write a Comment

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now