?
Solved

Powershell - Set Passwort depend on group membership or AD - Attributes

Posted on 2013-05-31
7
Medium Priority
?
595 Views
Last Modified: 2013-06-03
hi,

i like to check some attributes in AD and depend on the result, i like
to RESET the password or not

1. AD Attribute CannotChangePassword = false               then PW-RESET
2. User member of GROUP "ADG" = false                       then PW-RESET
3.User has in CSV column action "AdAccount" = true      then PW-RESET

Here only the part of the script:


 
 
{$_.Version -eq "MSXC2010" -and $_.aktion -eq "New"} {}  # from CSV
  
$PW = (Get-ADUser -identity $user.userid -properties * ) | Select-Object CannotChangePassword
If ($PW -like "false") {  

$GROUP = (Get-ADUser -identity $user.userid  -Properties *).MemberOf -split (",")
If ($group -like "false") {  

$NewPassword = $user.userid.Insert(5,"$")
$NewPassword = $newPassword.Insert(3,"C")
$NewPassword = $newPassword.Remove(0, 1)
$newPassword = $newPassword.Insert(0,"Z")        
Set-ADAccountPassword -Identity $user.userid -Reset -NewPassword (ConvertTo-SecureString -AsPlainText $newPassword -Force) 
                           
                                                          
} else {
                               
{$_.Version -eq "MSXC2010" -and $_.action -eq "AdAccount"} {
                              
$NewPassword = $user.UserId.Insert(5,"!")
$NewPassword = $newPassword.Insert(3,"k")
$NewPassword = $newPassword.Remove(0, 1)
$newPassword = $newPassword.Insert(0,"P")        
Set-ADAccountPassword -Identity $user.UserId -Reset -NewPassword (ConvertTo-SecureString -AsPlainText $newPassword -Force) 
                              
                               }

            }

Open in new window



My script still not working. Could anybody help?

appreciate for your help
mandy
0
Comment
Question by:Mandy_
  • 4
  • 3
7 Comments
 
LVL 41

Expert Comment

by:footech
ID: 39212026
You can change lines 4-5 like below.
$PW = (Get-ADUser -identity $user.userid -properties * ).CannotChangePassword
If ($PW -eq "$false") {

Open in new window

You can change lines 7-8 like below.
$GROUP = (Get-ADUser -identity $user.userid -Properties *).MemberOf | % { ($_ -split ",")[0] } | Where { $_ -eq "CN=ADG" }
If (!($GROUP)) {

Open in new window


You already have the portion for #3.
0
 
LVL 2

Author Comment

by:Mandy_
ID: 39212655
Hi footech, hi ,

thank you for your answer. I recreate the script as you can see  below. Unfortunately
i can move to Group or not or set AD "CannotChangePassword" the password
will be reset.

What i exactly want is:

1. If for one or more of the User the Attribute "CannotChangePassword" are set (true)
No PW-RESET ! All other User PW-RESET !

2. If one or more of the User are Member of the Group "ADG" - No PW-RESET
all other user PW-RESET


We come into the script with all user because all user always in the CSV has the value "MSCX2010"

Then we ask
If 1 and 2 are true - NO PW RESET
If only one True - NO PW RESET
If all false - PW-RESET

In the 2nd Part we asked only for the CSV value "ADAccount" in action if this true = PW-RESET
Never has a user with "ADACCOUNT" a MailboxAccount or is group member or has
set the Passwort Attribute "CannotChangePassword"

 
{$_.Version -eq "MSXC2010" -and $_.aktion -eq "New"} { 
                                $PW = (Get-ADUser -identity $user.userid -properties * ).CannotChangePassword
                                If ($PW -eq "$true") {
                                $GROUP = (Get-ADUser -identity $user.userid -Properties *).MemberOf | % { ($_ -split ",")[0] } | Where { $_ -eq "CN=ASG" }
                                 If (!($GROUP)) {
                               
                               $NewPassword = $user.userid.Insert(5,"$")
                               $NewPassword = $newPassword.Insert(3,"L")
                               $NewPassword = $newPassword.Remove(0, 1)
                               $newPassword = $newPassword.Insert(0,"Z")        
                               Set-ADAccountPassword -Identity $user.userid -Reset -NewPassword (ConvertTo-SecureString -AsPlainText $newPassword -Force) 
                               write-host -ForegroundColor yellow "Password of $($user.UserId) has been set to $newPassword"
                              
                               $searcher=New-Object DirectoryServices.DirectorySearcher
                               $searcher.Filter="(&(samaccountname=Z000001))"
                               $results=$searcher.findone()
                               [datetime]::fromfiletime($results.properties.pwdlastset[0])
                              
                              # }                                          
                               } else {
                               
                              
                               {$_.Version -eq "MSXC2010" -and $_.aktion -eq "AdAccount"} 
                              
                               $NewPassword = $user.UserId.Insert(5,"$")
                               $NewPassword = $newPassword.Insert(3,"L")
                               $NewPassword = $newPassword.Remove(0, 1)
                               $newPassword = $newPassword.Insert(0,"Z")        
                               Set-ADAccountPassword -Identity $user.UserId -Reset -NewPassword (ConvertTo-SecureString -AsPlainText $newPassword -Force) 
                               write-host -ForegroundColor magenta "Password of $($user.UserId) has been set to $newPassword"
                              
                               $searcher=New-Object DirectoryServices.DirectorySearcher
                               $searcher.Filter="(&(samaccountname=Z000001))"
                               $results=$searcher.findone()
                               [datetime]::fromfiletime($results.properties.pwdlastset[0])

Open in new window


The last thing for now this pw checker i like to have for all user specific on the screen
like set:  User Z000001  Last PW Reset at Samstag, 1. June 2013 09:49:43
 
$searcher=New-Object DirectoryServices.DirectorySearcher
$searcher.Filter="(&(samaccountname=$user.userid))"
$results=$searcher.findone()
[datetime]::fromfiletime($results.properties.pwdlastset[0])

Open in new window


appreciate for your help
mandy
0
 
LVL 2

Author Comment

by:Mandy_
ID: 39212668
The 2nd and really last thing i've forgot is to check before if the user has a only web-based

MailAccount.  In this case the user are only in databases includes the Word "WEB".

So first we check DATABASE = "WEB" then should move this user to other database

If the User department = "EMC" then move to database DBEMC001 until DBEMC0045

If the department not EMC but database WEB then move to DB0020 until DB0040

All other user passed this part and enable/disable Mailbox and so on

I tried it with this one below but without success

Import-Module ActiveDirectory 
ForEach ($User in  Import-Csv "c:\import1.csv"){ #$user}
      switch($user){
            {$_.Version -eq "MSXC2010" -and $_.aktion -eq "new"} {

            
                 
                  $DBuser = (Get-ADUser -identity $user.UserID).department
                  If ($DBuser -like "*EMC*") {
                        $db = "DBEMC00$("{0:00}" -f (1..43 | Get-random))"
                    
                    $WEBuser = (Get-Mailbox -Identity $user.userid | Select-Object Database)
                    If ($Webuser -like "*WEB*") {
                    move-mailbox -Identity $user.user.id -TargetDatabase $DB -BadItemLimit 15 -PreserveMailboxSizeLimit:$true -Confirm: $false
                    }
                    else { 
                    move-mailbox -Identity $user.user.id -TargetDatabase DB0040 -BadItemLimit 15 -PreserveMailboxSizeLimit:$true -Confirm: $false
                    }
                    else { 
                    Enable-Mailbox -Identity $user.UserId -Database $db
                    }
                    else { 
                        Enable-Mailbox -Identity $user.UserId

Open in new window



Could you pls give an advice to take the best way to resolve this problem.
Thank you so much
appreciate for your help
mandy
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
LVL 41

Accepted Solution

by:
footech earned 1500 total points
ID: 39213670
In answer to your post http:#a39212655
Do you really have a column header of "aktion", or is it supposed to be "action"?  Sometimes I see you using one, and sometimes the other.
Are you checking group "ADG" or "ASG"?  Your last code had "ASG".

There was a small error in my previous post.  When checking whether a value is a boolean true or false, there aren't any quotes around "$true" or "$false".  So you could use either
If ($PW -eq $false)  or even If (!($PW))
                            If ($_.Version -eq "MSXC2010" -and $_.aktion -eq "New") { 
                                $PW = (Get-ADUser -identity $user.userid -properties * ).CannotChangePassword
                                If ($PW -eq $false) {
                                    $GROUP = (Get-ADUser -identity $user.userid -Properties *).MemberOf | % { ($_ -split ",")[0] } | Where { $_ -eq "CN=ADG" }
                                    If (!($GROUP)) {
                               
                                        $NewPassword = $user.userid.Insert(5,"$")
                                        $NewPassword = $newPassword.Insert(3,"L")
                                        $NewPassword = $newPassword.Remove(0, 1)
                                        $newPassword = $newPassword.Insert(0,"Z")        
                                        Set-ADAccountPassword -Identity $user.userid -Reset -NewPassword (ConvertTo-SecureString -AsPlainText $newPassword -Force) 
                                        write-host -ForegroundColor yellow "Password of $($user.UserId) has been set to $newPassword"
                              
                                        "User {0}  Last PW Reset at {1}" -f $user.userid,((Get-ADUser $user.userid -properties PasswordLastSet).PasswordLastSet)
                              
                                    }                                          
                                }
                            } elseif ($_.Version -eq "MSXC2010" -and $_.aktion -eq "AdAccount") {
                              
                                $NewPassword = $user.UserId.Insert(5,"$")
                                $NewPassword = $newPassword.Insert(3,"L")
                                $NewPassword = $newPassword.Remove(0, 1)
                                $newPassword = $newPassword.Insert(0,"Z")        
                                Set-ADAccountPassword -Identity $user.UserId -Reset -NewPassword (ConvertTo-SecureString -AsPlainText $newPassword -Force) 
                                write-host -ForegroundColor magenta "Password of $($user.UserId) has been set to $newPassword"
                              
                                "User {0}  Last PW Reset at {1}" -f $user.userid,((Get-ADUser $user.userid -properties PasswordLastSet).PasswordLastSet)
                            }

Open in new window

0
 
LVL 41

Expert Comment

by:footech
ID: 39213678
In answer to post http:#a39212668

This question was started in regards to criteria for resetting passwords.  For help with problems moving, or enabling/disabling  mailboxes, etc., please start a new question.  Otherwise this question becomes too difficult and confusing to follow.  Plus, other experts may be able to give you better advice in regards to that problem.
0
 
LVL 2

Author Comment

by:Mandy_
ID: 39214023
thank you!  i moved the other question to new one.

I checked your code and the first part running fine. But if ya like only AdAccount (Password reset in the 2nd part nothing happens.

I create this behind and everything working fine now. What you think about?

       {$_.Version -eq "MSXC2010" -and $_.aktion -eq "AdAccount"}  {
                              
                                $NewPassword = $user.UserId.Insert(5,"$")
                                $NewPassword = $newPassword.Insert(3,"L")
                                $NewPassword = $newPassword.Remove(0, 1)
                                $newPassword = $newPassword.Insert(0,"z")        
                                Set-ADAccountPassword -Identity $user.UserId -Reset -NewPassword (ConvertTo-SecureString -AsPlainText $newPassword -Force) 
                                write-host -ForegroundColor magenta "Password of $($user.UserId) has been set to $newPassword"
                              
                                "User {0}  Last PW Reset at {1}" -f $user.userid,((Get-ADUser $user.userid -properties PasswordLastSet).PasswordLastSet)

                                }
                               # }
                                #} else {
                              
                                {$_.Version -eq "MSXC2010" -and $_.aktion -eq "New"} {
                               
                                
                                $PW = (Get-ADUser -identity $user.userid -properties * ).CannotChangePassword
                                If ($PW -eq $false) {
                                $GROUP = (Get-ADUser -identity $user.userid -Properties *).MemberOf | % { ($_ -split ",")[0] } | Where { $_ -eq "CN=AGS" }
                                If (!($GROUP)) {
                               
                                $NewPassword = $user.userid.Insert(5,"$")
                                $NewPassword = $newPassword.Insert(3,"L")
                                $NewPassword = $newPassword.Remove(0, 1)
                                $newPassword = $newPassword.Insert(0,"z")        
                                Set-ADAccountPassword -Identity $user.userid -Reset -NewPassword (ConvertTo-SecureString -AsPlainText $newPassword -Force) 
                                write-host -ForegroundColor yellow "Password of $($user.UserId) has been set to $newPassword"
                              
                                "User {0}  Last PW Reset at {1}" -f $user.userid,((Get-ADUser $user.userid -properties PasswordLastSet).PasswordLastSet)
                              
                                }                                          
                           
                                }
                                
                                
                                
                               
                               }
                              
      }
 
}

Open in new window

0
 
LVL 41

Expert Comment

by:footech
ID: 39214160
Looking at some of the other code you've posted, it looks like you may be using a switch statement to check for some of the different conditions instead If statements, which is what I used.  In that case the syntax of the code you posted makes sense.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Stellar Exchange Toolkit: this 5 in 1 toolkit comes loaded with mega-software tool. Here’s an introduction to tools’ usage and advantages:
Exchange administrators are always vigilant about Exchange crashes and disasters that are possible any time. It is quite essential to identify the symptoms of a possible Exchange issue and be prepared with a proper recovery plan. There are multiple…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question