How can I automate re-mapping of shares after a password change?
Okay, so here's the scenario:
Non-domain Windows 7 computer, accessing AD domain shares with a valid AD account.
Shares are mapped with the "use other credentials" option.
Now when the user has to change p/w for the domain, the computer is still storing the users old credentials. So after the password change, the computer still tries to pass the old credentials and this locks out the users account due based on the 3 bad attempts security feature in AD.
* Note, I have no control over the AD settings for the domain where this PC is stationed.
While I could probably create a walk-through for the users to disconnect and re-map their shares, I would prefer to automate this if I can.
* if there is a better way than the following to deal with the situation then let me know.
So my current train of thought is to try and use some batch files to simplify the process.
I know I can use NET USE to delete and then re-map the shares, but I'm not sure how to pass the new password to the commands.
My understanding of the NET USE command is that unless you specify the credentials, it will attempt to pass current logged on user creds, and if they don't match the domain, it fails, so it will not prompt for valid (new) creds.
I'm thinking there is a way to ask for and pass the new password to the batch file, but I can't find what it is. My programming skills are very low, sorry.
I've seen several variations on scripts that ask for input and then put that into a variable, but I'm not seeing how I safely insert it into the middle of a command.
Thanks!
Non-domain Windows 7 computer, accessing AD domain shares with a valid AD account.
Shares are mapped with the "use other credentials" option.
Now when the user has to change p/w for the domain, the computer is still storing the users old credentials. So after the password change, the computer still tries to pass the old credentials and this locks out the users account due based on the 3 bad attempts security feature in AD.
* Note, I have no control over the AD settings for the domain where this PC is stationed.
While I could probably create a walk-through for the users to disconnect and re-map their shares, I would prefer to automate this if I can.
* if there is a better way than the following to deal with the situation then let me know.
So my current train of thought is to try and use some batch files to simplify the process.
I know I can use NET USE to delete and then re-map the shares, but I'm not sure how to pass the new password to the commands.
My understanding of the NET USE command is that unless you specify the credentials, it will attempt to pass current logged on user creds, and if they don't match the domain, it fails, so it will not prompt for valid (new) creds.
I'm thinking there is a way to ask for and pass the new password to the batch file, but I can't find what it is. My programming skills are very low, sorry.
I've seen several variations on scripts that ask for input and then put that into a variable, but I'm not seeing how I safely insert it into the middle of a command.
Thanks!
Gabriel Clifton
Let's say the mapped drive is X. Just put net use /d x: in a batch script and set it as a computer startup script.
ASKER
That only deletes the shares, I need to remap them with the new credentials.
OK, next line
net use X: "\\server\share" /USER:Domain\Username password /savecred /persistent:yes
net use X: "\\server\share" /USER:Domain\Username password /savecred /persistent:yes
ASKER
Right, but I won't have their password, so I can't hard code it into the script, because they will have just changed it. So I need the script to prompt them for it, and then supply it to the script.
without /USER:Domain\Username password /savecred should apply it with current user profile and password automatically
net use X: "\\server\share" /persistent:yes
without the password would prompt for password
net use X: "\\server\share" /USER:Domain\Username /savecred /persistent:yes
net use X: "\\server\share" /persistent:yes
without the password would prompt for password
net use X: "\\server\share" /USER:Domain\Username /savecred /persistent:yes
ASKER
So I tried the command as you have it, and I get the error:
"A command was used with conflicting switches"
I removed the /savecred switch and it does prompt for the password. So that's a start.
I would still prefer to script it so it only asks for the password the one time, usually they have shares on 2-3 servers and each one would prompt for the password.
"A command was used with conflicting switches"
I removed the /savecred switch and it does prompt for the password. So that's a start.
I would still prefer to script it so it only asks for the password the one time, usually they have shares on 2-3 servers and each one would prompt for the password.
Have you tried it without credentials
net use X: "\\server\share" /persistent:yes
net use X: "\\server\share" /persistent:yes
ASKER
If you don't specify credentials, it assumes the currently logged on user, which in my case is just a local machine account, not a domain account, so that attempt would automatically fail.
So the solution I need is to have a script that prompts the user for their new password, and inserts it into the net use command for me.
So the solution I need is to have a script that prompts the user for their new password, and inserts it into the net use command for me.
Ok try it without the password or save cred.
net use X: "\\server\share" /USER:Domain\Username /persistent:yes
net use X: "\\server\share" /USER:Domain\Username /persistent:yes
You can not script something where information is changing especially where you have no control over the info.
Control keymgr.dll
Is a way to store credentials. The user could update those when they update their AD credentials.
Control keymgr.dll
Is a way to store credentials. The user could update those when they update their AD credentials.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
main advantage of vbscript over batch is the ability to get user input and test it.
the
the
cscript relogon.vbs
Hi, by the sound of it, I think the cmdkey.exe tool is going to be useful here.
When you "save" the credentials to a shared drive, the server is treated as a "resource". cmdkey.exe allows you to store passwords for resources, the same that are entered in the user accounts management console. You can open the Control Panel, and search for the "Credential Manager".
To see the same details with cmdkey.exe, at a command prompt, type
cmdkey /list
So, to modify the password for you servers, type
cmdkey /add:adservername /user:yourusername /pass:yourpassword
Running this each time your password changes should allow the servers to be reconnected.
Regards,
Rob.
When you "save" the credentials to a shared drive, the server is treated as a "resource". cmdkey.exe allows you to store passwords for resources, the same that are entered in the user accounts management console. You can open the Control Panel, and search for the "Credential Manager".
To see the same details with cmdkey.exe, at a command prompt, type
cmdkey /list
So, to modify the password for you servers, type
cmdkey /add:adservername /user:yourusername /pass:yourpassword
Running this each time your password changes should allow the servers to be reconnected.
Regards,
Rob.
ASKER
@robberbaron:
Okay, that looks like what I might be looking for. But I don't know vbscript.
The username will be static, so how do I statically assign the username?
And on the two different map commands you have, one has a true in it, and the other a false, what is that for?
Okay, that looks like what I might be looking for. But I don't know vbscript.
The username will be static, so how do I statically assign the username?
And on the two different map commands you have, one has a true in it, and the other a false, what is that for?
The username is known to the system as %USERNAME% in the environment.
1. %USERNAME% is the local user, you may want to conenct drives using an account on the server. eg domainuser
2. for static userid replace
with
3. that variable in the Map function represents the PersistShare parameter. ie do you want to automatically reconnect on next restart or logon. i suspect you want that to be True.
2. for static userid replace
'-----------get inputs ------
do while sUser=""
sUser = InputBox("Type in your username","Recreate network shares")
loopwith
'-----------get inputs ------
sUser="WhoKnows"3. that variable in the Map function represents the PersistShare parameter. ie do you want to automatically reconnect on next restart or logon. i suspect you want that to be True.
The problem that is implicit in the asker's question deals with the request/requirement that the user be prompted nly once when the credentials expire rather than every time they login and the drives are mapped.
The possible inclusion of a test to check for the mapped drive and in its absence, prompt the user as was provided in prior comments. However, the absence of a VPN connection would also trigger these prompts.
The problem though, a that the AD account will be locked prior to the detection mechanism and remapping/prompting for new credentials will be attempted.
Possibly incorporating the mapping as a login/startup script as a substitute to persistent mapping.
This way the script can on the first attempt detect that the credentials have changed (taking into account that the check should include a determination whether the system is on the corporate LAN or VPN is active before prompting the user for new credentials where the credentials need to be stored in encrypted form.)
The possible inclusion of a test to check for the mapped drive and in its absence, prompt the user as was provided in prior comments. However, the absence of a VPN connection would also trigger these prompts.
The problem though, a that the AD account will be locked prior to the detection mechanism and remapping/prompting for new credentials will be attempted.
Possibly incorporating the mapping as a login/startup script as a substitute to persistent mapping.
This way the script can on the first attempt detect that the credentials have changed (taking into account that the check should include a determination whether the system is on the corporate LAN or VPN is active before prompting the user for new credentials where the credentials need to be stored in encrypted form.)
What about using CmdKey.exe, or even the manual GUI of "Credential Manager"? If you just change the password for the resources whenever the AD password changes, it should work fine....
The asker wants the transition/update "automatic" and without the account getting locked by a DC following to many failed auth attempts.
ASKER
@arnold, I wouldn't say "automatic" so much as "automated" because I have to prompt the user for their new password. But otherwise you are correct.
@robsampon, what arnold said. But I am thankful to have learned about CmdKey from you, that will be useful later.
So I have succefully modified the script that Robberbaron provided and it successfully mapped the drives, but when checked persistence with a reboot, the account got locked out for some reason, I'm looking into that, but since it's not my domain, I can't look into the security logs. So I will have to wait on that.
My objective with this post was to get a script that would do the mapping, so I am considering this questioned "answered" by robberbaron.
Thank you everyone for your help.
@robsampon, what arnold said. But I am thankful to have learned about CmdKey from you, that will be useful later.
So I have succefully modified the script that Robberbaron provided and it successfully mapped the drives, but when checked persistence with a reboot, the account got locked out for some reason, I'm looking into that, but since it's not my domain, I can't look into the security logs. So I will have to wait on that.
My objective with this post was to get a script that would do the mapping, so I am considering this questioned "answered" by robberbaron.
Thank you everyone for your help.
As long as the mapping is automatic/persisten. Upon logon the mapping will be attempted until the account is locked out. This is why I suggested you use the script provided to attempt a mapping. if it fails you can presume that the credentials are invalid and prompt the user for the new credentials.
You must take all other suggestions into account. i.e. the system if mobile is not on the LAN, and a VPN is not established.
Test whether a manual mapping
net use X: \\remoteserver\remoteshare
is seen as a single attempt that responds with an error invalid credentials.
if prompted for reentering of credentials/password, do not respond ctrl-C
or whether this single attempt will lock the account as well.
Usually 5 failed attempts within a short period of time is the common lockout policy.
You must take all other suggestions into account. i.e. the system if mobile is not on the LAN, and a VPN is not established.
Test whether a manual mapping
net use X: \\remoteserver\remoteshare
is seen as a single attempt that responds with an error invalid credentials.
if prompted for reentering of credentials/password, do not respond ctrl-C
or whether this single attempt will lock the account as well.
Usually 5 failed attempts within a short period of time is the common lockout policy.
ASKER
-Arnold, okay, let's back up, I'm not sure if we are on the same page.
In my scenario, the script will not be a logon script, the script will be run manually only as needed about once a month. It will be run via a batch file sitting on the users desktop.
But before that, the user will have run a batch file to disconnect all current shares, that's easy. So now they have no shares of any kind.
Next they will use a website to conduct a password change. (Remember the computer they are on is NOT on the domain)
Then they will run the script I am building to request their new password and then re-map the drives accordingly.
note: They are not using a VPN, they are directly connected to the physical network, just not a member of the Domain.
So yesterday I ran a test...
At the time there were no shares existing on the PC
So I ran the listed script (from robberbaron) and it successfully mapped all 3 of the shares I had in the script.
But when I rebooted the computer to check for persistence, somewhere during the login, the domain account got locked out, so the mappings had retained persistence, but somehow something caused the domain account to get locked out.
Am I misunderstanding what you are saying? Cause it sounds like you are referring to having this script run as a logon script, and I'm not looking to do that.
In my scenario, the script will not be a logon script, the script will be run manually only as needed about once a month. It will be run via a batch file sitting on the users desktop.
But before that, the user will have run a batch file to disconnect all current shares, that's easy. So now they have no shares of any kind.
Next they will use a website to conduct a password change. (Remember the computer they are on is NOT on the domain)
Then they will run the script I am building to request their new password and then re-map the drives accordingly.
note: They are not using a VPN, they are directly connected to the physical network, just not a member of the Domain.
So yesterday I ran a test...
At the time there were no shares existing on the PC
So I ran the listed script (from robberbaron) and it successfully mapped all 3 of the shares I had in the script.
But when I rebooted the computer to check for persistence, somewhere during the login, the domain account got locked out, so the mappings had retained persistence, but somehow something caused the domain account to get locked out.
Am I misunderstanding what you are saying? Cause it sounds like you are referring to having this script run as a logon script, and I'm not looking to do that.
I understand what you want to achieve.
1) a user always gets access to a mapped set of drives on a workgroup computer to a share fom an AD member with AD credentials
2) since the user must update their AD credentials every so often, you want the mapping to prompt the user for the new credentials (presumably you would like this change to occur without the account locking out.)
The use of the keymgr.dll and a script at the same time. My guess is that on reboot the credentials stored in the keystore were used and being incorrect, locked the account.
Setting the combination of the scripts provided as a logon could achieve a mechanism where the user has minimal interaction and the issue will be transparent/automatic.
http://stackoverflow.com/questions/7663219/how-to-authenticate-an-user-in-activedirectory-with-powershell
The username/password would need to be stored in a "secure"
http://www.techrepublic.com/blog/networking/powershell-code-to-store-user-credentials-encrypted-for-re-use/5817
http://stackoverflow.com/questions/6239647/using-powershell-credentials-without-being-prompted-for-a-password
Ref items dealing with storing the credentials in a secure way i.e. some using an encrypt/decrypt another uses a one way encryption.
1) a user always gets access to a mapped set of drives on a workgroup computer to a share fom an AD member with AD credentials
2) since the user must update their AD credentials every so often, you want the mapping to prompt the user for the new credentials (presumably you would like this change to occur without the account locking out.)
The use of the keymgr.dll and a script at the same time. My guess is that on reboot the credentials stored in the keystore were used and being incorrect, locked the account.
Setting the combination of the scripts provided as a logon could achieve a mechanism where the user has minimal interaction and the issue will be transparent/automatic.
http://stackoverflow.com/questions/7663219/how-to-authenticate-an-user-in-activedirectory-with-powershell
The username/password would need to be stored in a "secure"
http://www.techrepublic.com/blog/networking/powershell-code-to-store-user-credentials-encrypted-for-re-use/5817
http://stackoverflow.com/questions/6239647/using-powershell-credentials-without-being-prompted-for-a-password
Ref items dealing with storing the credentials in a secure way i.e. some using an encrypt/decrypt another uses a one way encryption.