Solved

Powershell - Set Passwort depend on group membership or AD - Attributes

Posted on 2013-05-31
7
578 Views
Last Modified: 2013-06-03
hi,

i like to check some attributes in AD and depend on the result, i like
to RESET the password or not

1. AD Attribute CannotChangePassword = false               then PW-RESET
2. User member of GROUP "ADG" = false                       then PW-RESET
3.User has in CSV column action "AdAccount" = true      then PW-RESET

Here only the part of the script:


 
 
{$_.Version -eq "MSXC2010" -and $_.aktion -eq "New"} {}  # from CSV
  
$PW = (Get-ADUser -identity $user.userid -properties * ) | Select-Object CannotChangePassword
If ($PW -like "false") {  

$GROUP = (Get-ADUser -identity $user.userid  -Properties *).MemberOf -split (",")
If ($group -like "false") {  

$NewPassword = $user.userid.Insert(5,"$")
$NewPassword = $newPassword.Insert(3,"C")
$NewPassword = $newPassword.Remove(0, 1)
$newPassword = $newPassword.Insert(0,"Z")        
Set-ADAccountPassword -Identity $user.userid -Reset -NewPassword (ConvertTo-SecureString -AsPlainText $newPassword -Force) 
                           
                                                          
} else {
                               
{$_.Version -eq "MSXC2010" -and $_.action -eq "AdAccount"} {
                              
$NewPassword = $user.UserId.Insert(5,"!")
$NewPassword = $newPassword.Insert(3,"k")
$NewPassword = $newPassword.Remove(0, 1)
$newPassword = $newPassword.Insert(0,"P")        
Set-ADAccountPassword -Identity $user.UserId -Reset -NewPassword (ConvertTo-SecureString -AsPlainText $newPassword -Force) 
                              
                               }

            }

Open in new window



My script still not working. Could anybody help?

appreciate for your help
mandy
0
Comment
Question by:Mandy_
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 40

Expert Comment

by:footech
ID: 39212026
You can change lines 4-5 like below.
$PW = (Get-ADUser -identity $user.userid -properties * ).CannotChangePassword
If ($PW -eq "$false") {

Open in new window

You can change lines 7-8 like below.
$GROUP = (Get-ADUser -identity $user.userid -Properties *).MemberOf | % { ($_ -split ",")[0] } | Where { $_ -eq "CN=ADG" }
If (!($GROUP)) {

Open in new window


You already have the portion for #3.
0
 
LVL 2

Author Comment

by:Mandy_
ID: 39212655
Hi footech, hi ,

thank you for your answer. I recreate the script as you can see  below. Unfortunately
i can move to Group or not or set AD "CannotChangePassword" the password
will be reset.

What i exactly want is:

1. If for one or more of the User the Attribute "CannotChangePassword" are set (true)
No PW-RESET ! All other User PW-RESET !

2. If one or more of the User are Member of the Group "ADG" - No PW-RESET
all other user PW-RESET


We come into the script with all user because all user always in the CSV has the value "MSCX2010"

Then we ask
If 1 and 2 are true - NO PW RESET
If only one True - NO PW RESET
If all false - PW-RESET

In the 2nd Part we asked only for the CSV value "ADAccount" in action if this true = PW-RESET
Never has a user with "ADACCOUNT" a MailboxAccount or is group member or has
set the Passwort Attribute "CannotChangePassword"

 
{$_.Version -eq "MSXC2010" -and $_.aktion -eq "New"} { 
                                $PW = (Get-ADUser -identity $user.userid -properties * ).CannotChangePassword
                                If ($PW -eq "$true") {
                                $GROUP = (Get-ADUser -identity $user.userid -Properties *).MemberOf | % { ($_ -split ",")[0] } | Where { $_ -eq "CN=ASG" }
                                 If (!($GROUP)) {
                               
                               $NewPassword = $user.userid.Insert(5,"$")
                               $NewPassword = $newPassword.Insert(3,"L")
                               $NewPassword = $newPassword.Remove(0, 1)
                               $newPassword = $newPassword.Insert(0,"Z")        
                               Set-ADAccountPassword -Identity $user.userid -Reset -NewPassword (ConvertTo-SecureString -AsPlainText $newPassword -Force) 
                               write-host -ForegroundColor yellow "Password of $($user.UserId) has been set to $newPassword"
                              
                               $searcher=New-Object DirectoryServices.DirectorySearcher
                               $searcher.Filter="(&(samaccountname=Z000001))"
                               $results=$searcher.findone()
                               [datetime]::fromfiletime($results.properties.pwdlastset[0])
                              
                              # }                                          
                               } else {
                               
                              
                               {$_.Version -eq "MSXC2010" -and $_.aktion -eq "AdAccount"} 
                              
                               $NewPassword = $user.UserId.Insert(5,"$")
                               $NewPassword = $newPassword.Insert(3,"L")
                               $NewPassword = $newPassword.Remove(0, 1)
                               $newPassword = $newPassword.Insert(0,"Z")        
                               Set-ADAccountPassword -Identity $user.UserId -Reset -NewPassword (ConvertTo-SecureString -AsPlainText $newPassword -Force) 
                               write-host -ForegroundColor magenta "Password of $($user.UserId) has been set to $newPassword"
                              
                               $searcher=New-Object DirectoryServices.DirectorySearcher
                               $searcher.Filter="(&(samaccountname=Z000001))"
                               $results=$searcher.findone()
                               [datetime]::fromfiletime($results.properties.pwdlastset[0])

Open in new window


The last thing for now this pw checker i like to have for all user specific on the screen
like set:  User Z000001  Last PW Reset at Samstag, 1. June 2013 09:49:43
 
$searcher=New-Object DirectoryServices.DirectorySearcher
$searcher.Filter="(&(samaccountname=$user.userid))"
$results=$searcher.findone()
[datetime]::fromfiletime($results.properties.pwdlastset[0])

Open in new window


appreciate for your help
mandy
0
 
LVL 2

Author Comment

by:Mandy_
ID: 39212668
The 2nd and really last thing i've forgot is to check before if the user has a only web-based

MailAccount.  In this case the user are only in databases includes the Word "WEB".

So first we check DATABASE = "WEB" then should move this user to other database

If the User department = "EMC" then move to database DBEMC001 until DBEMC0045

If the department not EMC but database WEB then move to DB0020 until DB0040

All other user passed this part and enable/disable Mailbox and so on

I tried it with this one below but without success

Import-Module ActiveDirectory 
ForEach ($User in  Import-Csv "c:\import1.csv"){ #$user}
      switch($user){
            {$_.Version -eq "MSXC2010" -and $_.aktion -eq "new"} {

            
                 
                  $DBuser = (Get-ADUser -identity $user.UserID).department
                  If ($DBuser -like "*EMC*") {
                        $db = "DBEMC00$("{0:00}" -f (1..43 | Get-random))"
                    
                    $WEBuser = (Get-Mailbox -Identity $user.userid | Select-Object Database)
                    If ($Webuser -like "*WEB*") {
                    move-mailbox -Identity $user.user.id -TargetDatabase $DB -BadItemLimit 15 -PreserveMailboxSizeLimit:$true -Confirm: $false
                    }
                    else { 
                    move-mailbox -Identity $user.user.id -TargetDatabase DB0040 -BadItemLimit 15 -PreserveMailboxSizeLimit:$true -Confirm: $false
                    }
                    else { 
                    Enable-Mailbox -Identity $user.UserId -Database $db
                    }
                    else { 
                        Enable-Mailbox -Identity $user.UserId

Open in new window



Could you pls give an advice to take the best way to resolve this problem.
Thank you so much
appreciate for your help
mandy
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 40

Accepted Solution

by:
footech earned 500 total points
ID: 39213670
In answer to your post http:#a39212655
Do you really have a column header of "aktion", or is it supposed to be "action"?  Sometimes I see you using one, and sometimes the other.
Are you checking group "ADG" or "ASG"?  Your last code had "ASG".

There was a small error in my previous post.  When checking whether a value is a boolean true or false, there aren't any quotes around "$true" or "$false".  So you could use either
If ($PW -eq $false)  or even If (!($PW))
                            If ($_.Version -eq "MSXC2010" -and $_.aktion -eq "New") { 
                                $PW = (Get-ADUser -identity $user.userid -properties * ).CannotChangePassword
                                If ($PW -eq $false) {
                                    $GROUP = (Get-ADUser -identity $user.userid -Properties *).MemberOf | % { ($_ -split ",")[0] } | Where { $_ -eq "CN=ADG" }
                                    If (!($GROUP)) {
                               
                                        $NewPassword = $user.userid.Insert(5,"$")
                                        $NewPassword = $newPassword.Insert(3,"L")
                                        $NewPassword = $newPassword.Remove(0, 1)
                                        $newPassword = $newPassword.Insert(0,"Z")        
                                        Set-ADAccountPassword -Identity $user.userid -Reset -NewPassword (ConvertTo-SecureString -AsPlainText $newPassword -Force) 
                                        write-host -ForegroundColor yellow "Password of $($user.UserId) has been set to $newPassword"
                              
                                        "User {0}  Last PW Reset at {1}" -f $user.userid,((Get-ADUser $user.userid -properties PasswordLastSet).PasswordLastSet)
                              
                                    }                                          
                                }
                            } elseif ($_.Version -eq "MSXC2010" -and $_.aktion -eq "AdAccount") {
                              
                                $NewPassword = $user.UserId.Insert(5,"$")
                                $NewPassword = $newPassword.Insert(3,"L")
                                $NewPassword = $newPassword.Remove(0, 1)
                                $newPassword = $newPassword.Insert(0,"Z")        
                                Set-ADAccountPassword -Identity $user.UserId -Reset -NewPassword (ConvertTo-SecureString -AsPlainText $newPassword -Force) 
                                write-host -ForegroundColor magenta "Password of $($user.UserId) has been set to $newPassword"
                              
                                "User {0}  Last PW Reset at {1}" -f $user.userid,((Get-ADUser $user.userid -properties PasswordLastSet).PasswordLastSet)
                            }

Open in new window

0
 
LVL 40

Expert Comment

by:footech
ID: 39213678
In answer to post http:#a39212668

This question was started in regards to criteria for resetting passwords.  For help with problems moving, or enabling/disabling  mailboxes, etc., please start a new question.  Otherwise this question becomes too difficult and confusing to follow.  Plus, other experts may be able to give you better advice in regards to that problem.
0
 
LVL 2

Author Comment

by:Mandy_
ID: 39214023
thank you!  i moved the other question to new one.

I checked your code and the first part running fine. But if ya like only AdAccount (Password reset in the 2nd part nothing happens.

I create this behind and everything working fine now. What you think about?

       {$_.Version -eq "MSXC2010" -and $_.aktion -eq "AdAccount"}  {
                              
                                $NewPassword = $user.UserId.Insert(5,"$")
                                $NewPassword = $newPassword.Insert(3,"L")
                                $NewPassword = $newPassword.Remove(0, 1)
                                $newPassword = $newPassword.Insert(0,"z")        
                                Set-ADAccountPassword -Identity $user.UserId -Reset -NewPassword (ConvertTo-SecureString -AsPlainText $newPassword -Force) 
                                write-host -ForegroundColor magenta "Password of $($user.UserId) has been set to $newPassword"
                              
                                "User {0}  Last PW Reset at {1}" -f $user.userid,((Get-ADUser $user.userid -properties PasswordLastSet).PasswordLastSet)

                                }
                               # }
                                #} else {
                              
                                {$_.Version -eq "MSXC2010" -and $_.aktion -eq "New"} {
                               
                                
                                $PW = (Get-ADUser -identity $user.userid -properties * ).CannotChangePassword
                                If ($PW -eq $false) {
                                $GROUP = (Get-ADUser -identity $user.userid -Properties *).MemberOf | % { ($_ -split ",")[0] } | Where { $_ -eq "CN=AGS" }
                                If (!($GROUP)) {
                               
                                $NewPassword = $user.userid.Insert(5,"$")
                                $NewPassword = $newPassword.Insert(3,"L")
                                $NewPassword = $newPassword.Remove(0, 1)
                                $newPassword = $newPassword.Insert(0,"z")        
                                Set-ADAccountPassword -Identity $user.userid -Reset -NewPassword (ConvertTo-SecureString -AsPlainText $newPassword -Force) 
                                write-host -ForegroundColor yellow "Password of $($user.UserId) has been set to $newPassword"
                              
                                "User {0}  Last PW Reset at {1}" -f $user.userid,((Get-ADUser $user.userid -properties PasswordLastSet).PasswordLastSet)
                              
                                }                                          
                           
                                }
                                
                                
                                
                               
                               }
                              
      }
 
}

Open in new window

0
 
LVL 40

Expert Comment

by:footech
ID: 39214160
Looking at some of the other code you've posted, it looks like you may be using a switch statement to check for some of the different conditions instead If statements, which is what I used.  In that case the syntax of the code you posted makes sense.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
In this post we will be converting StringData saved within a text file into a hash table. This can be further used in a PowerShell script for replacing settings that are dynamic in nature from environment to environment.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
how to add IIS SMTP to handle application/Scanner relays into office 365.

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question