?
Solved

Powershell - Set Passwort depend on group membership or AD - Attributes

Posted on 2013-05-31
7
Medium Priority
?
581 Views
Last Modified: 2013-06-03
hi,

i like to check some attributes in AD and depend on the result, i like
to RESET the password or not

1. AD Attribute CannotChangePassword = false               then PW-RESET
2. User member of GROUP "ADG" = false                       then PW-RESET
3.User has in CSV column action "AdAccount" = true      then PW-RESET

Here only the part of the script:


 
 
{$_.Version -eq "MSXC2010" -and $_.aktion -eq "New"} {}  # from CSV
  
$PW = (Get-ADUser -identity $user.userid -properties * ) | Select-Object CannotChangePassword
If ($PW -like "false") {  

$GROUP = (Get-ADUser -identity $user.userid  -Properties *).MemberOf -split (",")
If ($group -like "false") {  

$NewPassword = $user.userid.Insert(5,"$")
$NewPassword = $newPassword.Insert(3,"C")
$NewPassword = $newPassword.Remove(0, 1)
$newPassword = $newPassword.Insert(0,"Z")        
Set-ADAccountPassword -Identity $user.userid -Reset -NewPassword (ConvertTo-SecureString -AsPlainText $newPassword -Force) 
                           
                                                          
} else {
                               
{$_.Version -eq "MSXC2010" -and $_.action -eq "AdAccount"} {
                              
$NewPassword = $user.UserId.Insert(5,"!")
$NewPassword = $newPassword.Insert(3,"k")
$NewPassword = $newPassword.Remove(0, 1)
$newPassword = $newPassword.Insert(0,"P")        
Set-ADAccountPassword -Identity $user.UserId -Reset -NewPassword (ConvertTo-SecureString -AsPlainText $newPassword -Force) 
                              
                               }

            }

Open in new window



My script still not working. Could anybody help?

appreciate for your help
mandy
0
Comment
Question by:Mandy_
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 40

Expert Comment

by:footech
ID: 39212026
You can change lines 4-5 like below.
$PW = (Get-ADUser -identity $user.userid -properties * ).CannotChangePassword
If ($PW -eq "$false") {

Open in new window

You can change lines 7-8 like below.
$GROUP = (Get-ADUser -identity $user.userid -Properties *).MemberOf | % { ($_ -split ",")[0] } | Where { $_ -eq "CN=ADG" }
If (!($GROUP)) {

Open in new window


You already have the portion for #3.
0
 
LVL 2

Author Comment

by:Mandy_
ID: 39212655
Hi footech, hi ,

thank you for your answer. I recreate the script as you can see  below. Unfortunately
i can move to Group or not or set AD "CannotChangePassword" the password
will be reset.

What i exactly want is:

1. If for one or more of the User the Attribute "CannotChangePassword" are set (true)
No PW-RESET ! All other User PW-RESET !

2. If one or more of the User are Member of the Group "ADG" - No PW-RESET
all other user PW-RESET


We come into the script with all user because all user always in the CSV has the value "MSCX2010"

Then we ask
If 1 and 2 are true - NO PW RESET
If only one True - NO PW RESET
If all false - PW-RESET

In the 2nd Part we asked only for the CSV value "ADAccount" in action if this true = PW-RESET
Never has a user with "ADACCOUNT" a MailboxAccount or is group member or has
set the Passwort Attribute "CannotChangePassword"

 
{$_.Version -eq "MSXC2010" -and $_.aktion -eq "New"} { 
                                $PW = (Get-ADUser -identity $user.userid -properties * ).CannotChangePassword
                                If ($PW -eq "$true") {
                                $GROUP = (Get-ADUser -identity $user.userid -Properties *).MemberOf | % { ($_ -split ",")[0] } | Where { $_ -eq "CN=ASG" }
                                 If (!($GROUP)) {
                               
                               $NewPassword = $user.userid.Insert(5,"$")
                               $NewPassword = $newPassword.Insert(3,"L")
                               $NewPassword = $newPassword.Remove(0, 1)
                               $newPassword = $newPassword.Insert(0,"Z")        
                               Set-ADAccountPassword -Identity $user.userid -Reset -NewPassword (ConvertTo-SecureString -AsPlainText $newPassword -Force) 
                               write-host -ForegroundColor yellow "Password of $($user.UserId) has been set to $newPassword"
                              
                               $searcher=New-Object DirectoryServices.DirectorySearcher
                               $searcher.Filter="(&(samaccountname=Z000001))"
                               $results=$searcher.findone()
                               [datetime]::fromfiletime($results.properties.pwdlastset[0])
                              
                              # }                                          
                               } else {
                               
                              
                               {$_.Version -eq "MSXC2010" -and $_.aktion -eq "AdAccount"} 
                              
                               $NewPassword = $user.UserId.Insert(5,"$")
                               $NewPassword = $newPassword.Insert(3,"L")
                               $NewPassword = $newPassword.Remove(0, 1)
                               $newPassword = $newPassword.Insert(0,"Z")        
                               Set-ADAccountPassword -Identity $user.UserId -Reset -NewPassword (ConvertTo-SecureString -AsPlainText $newPassword -Force) 
                               write-host -ForegroundColor magenta "Password of $($user.UserId) has been set to $newPassword"
                              
                               $searcher=New-Object DirectoryServices.DirectorySearcher
                               $searcher.Filter="(&(samaccountname=Z000001))"
                               $results=$searcher.findone()
                               [datetime]::fromfiletime($results.properties.pwdlastset[0])

Open in new window


The last thing for now this pw checker i like to have for all user specific on the screen
like set:  User Z000001  Last PW Reset at Samstag, 1. June 2013 09:49:43
 
$searcher=New-Object DirectoryServices.DirectorySearcher
$searcher.Filter="(&(samaccountname=$user.userid))"
$results=$searcher.findone()
[datetime]::fromfiletime($results.properties.pwdlastset[0])

Open in new window


appreciate for your help
mandy
0
 
LVL 2

Author Comment

by:Mandy_
ID: 39212668
The 2nd and really last thing i've forgot is to check before if the user has a only web-based

MailAccount.  In this case the user are only in databases includes the Word "WEB".

So first we check DATABASE = "WEB" then should move this user to other database

If the User department = "EMC" then move to database DBEMC001 until DBEMC0045

If the department not EMC but database WEB then move to DB0020 until DB0040

All other user passed this part and enable/disable Mailbox and so on

I tried it with this one below but without success

Import-Module ActiveDirectory 
ForEach ($User in  Import-Csv "c:\import1.csv"){ #$user}
      switch($user){
            {$_.Version -eq "MSXC2010" -and $_.aktion -eq "new"} {

            
                 
                  $DBuser = (Get-ADUser -identity $user.UserID).department
                  If ($DBuser -like "*EMC*") {
                        $db = "DBEMC00$("{0:00}" -f (1..43 | Get-random))"
                    
                    $WEBuser = (Get-Mailbox -Identity $user.userid | Select-Object Database)
                    If ($Webuser -like "*WEB*") {
                    move-mailbox -Identity $user.user.id -TargetDatabase $DB -BadItemLimit 15 -PreserveMailboxSizeLimit:$true -Confirm: $false
                    }
                    else { 
                    move-mailbox -Identity $user.user.id -TargetDatabase DB0040 -BadItemLimit 15 -PreserveMailboxSizeLimit:$true -Confirm: $false
                    }
                    else { 
                    Enable-Mailbox -Identity $user.UserId -Database $db
                    }
                    else { 
                        Enable-Mailbox -Identity $user.UserId

Open in new window



Could you pls give an advice to take the best way to resolve this problem.
Thank you so much
appreciate for your help
mandy
0
Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

 
LVL 40

Accepted Solution

by:
footech earned 1500 total points
ID: 39213670
In answer to your post http:#a39212655
Do you really have a column header of "aktion", or is it supposed to be "action"?  Sometimes I see you using one, and sometimes the other.
Are you checking group "ADG" or "ASG"?  Your last code had "ASG".

There was a small error in my previous post.  When checking whether a value is a boolean true or false, there aren't any quotes around "$true" or "$false".  So you could use either
If ($PW -eq $false)  or even If (!($PW))
                            If ($_.Version -eq "MSXC2010" -and $_.aktion -eq "New") { 
                                $PW = (Get-ADUser -identity $user.userid -properties * ).CannotChangePassword
                                If ($PW -eq $false) {
                                    $GROUP = (Get-ADUser -identity $user.userid -Properties *).MemberOf | % { ($_ -split ",")[0] } | Where { $_ -eq "CN=ADG" }
                                    If (!($GROUP)) {
                               
                                        $NewPassword = $user.userid.Insert(5,"$")
                                        $NewPassword = $newPassword.Insert(3,"L")
                                        $NewPassword = $newPassword.Remove(0, 1)
                                        $newPassword = $newPassword.Insert(0,"Z")        
                                        Set-ADAccountPassword -Identity $user.userid -Reset -NewPassword (ConvertTo-SecureString -AsPlainText $newPassword -Force) 
                                        write-host -ForegroundColor yellow "Password of $($user.UserId) has been set to $newPassword"
                              
                                        "User {0}  Last PW Reset at {1}" -f $user.userid,((Get-ADUser $user.userid -properties PasswordLastSet).PasswordLastSet)
                              
                                    }                                          
                                }
                            } elseif ($_.Version -eq "MSXC2010" -and $_.aktion -eq "AdAccount") {
                              
                                $NewPassword = $user.UserId.Insert(5,"$")
                                $NewPassword = $newPassword.Insert(3,"L")
                                $NewPassword = $newPassword.Remove(0, 1)
                                $newPassword = $newPassword.Insert(0,"Z")        
                                Set-ADAccountPassword -Identity $user.UserId -Reset -NewPassword (ConvertTo-SecureString -AsPlainText $newPassword -Force) 
                                write-host -ForegroundColor magenta "Password of $($user.UserId) has been set to $newPassword"
                              
                                "User {0}  Last PW Reset at {1}" -f $user.userid,((Get-ADUser $user.userid -properties PasswordLastSet).PasswordLastSet)
                            }

Open in new window

0
 
LVL 40

Expert Comment

by:footech
ID: 39213678
In answer to post http:#a39212668

This question was started in regards to criteria for resetting passwords.  For help with problems moving, or enabling/disabling  mailboxes, etc., please start a new question.  Otherwise this question becomes too difficult and confusing to follow.  Plus, other experts may be able to give you better advice in regards to that problem.
0
 
LVL 2

Author Comment

by:Mandy_
ID: 39214023
thank you!  i moved the other question to new one.

I checked your code and the first part running fine. But if ya like only AdAccount (Password reset in the 2nd part nothing happens.

I create this behind and everything working fine now. What you think about?

       {$_.Version -eq "MSXC2010" -and $_.aktion -eq "AdAccount"}  {
                              
                                $NewPassword = $user.UserId.Insert(5,"$")
                                $NewPassword = $newPassword.Insert(3,"L")
                                $NewPassword = $newPassword.Remove(0, 1)
                                $newPassword = $newPassword.Insert(0,"z")        
                                Set-ADAccountPassword -Identity $user.UserId -Reset -NewPassword (ConvertTo-SecureString -AsPlainText $newPassword -Force) 
                                write-host -ForegroundColor magenta "Password of $($user.UserId) has been set to $newPassword"
                              
                                "User {0}  Last PW Reset at {1}" -f $user.userid,((Get-ADUser $user.userid -properties PasswordLastSet).PasswordLastSet)

                                }
                               # }
                                #} else {
                              
                                {$_.Version -eq "MSXC2010" -and $_.aktion -eq "New"} {
                               
                                
                                $PW = (Get-ADUser -identity $user.userid -properties * ).CannotChangePassword
                                If ($PW -eq $false) {
                                $GROUP = (Get-ADUser -identity $user.userid -Properties *).MemberOf | % { ($_ -split ",")[0] } | Where { $_ -eq "CN=AGS" }
                                If (!($GROUP)) {
                               
                                $NewPassword = $user.userid.Insert(5,"$")
                                $NewPassword = $newPassword.Insert(3,"L")
                                $NewPassword = $newPassword.Remove(0, 1)
                                $newPassword = $newPassword.Insert(0,"z")        
                                Set-ADAccountPassword -Identity $user.userid -Reset -NewPassword (ConvertTo-SecureString -AsPlainText $newPassword -Force) 
                                write-host -ForegroundColor yellow "Password of $($user.UserId) has been set to $newPassword"
                              
                                "User {0}  Last PW Reset at {1}" -f $user.userid,((Get-ADUser $user.userid -properties PasswordLastSet).PasswordLastSet)
                              
                                }                                          
                           
                                }
                                
                                
                                
                               
                               }
                              
      }
 
}

Open in new window

0
 
LVL 40

Expert Comment

by:footech
ID: 39214160
Looking at some of the other code you've posted, it looks like you may be using a switch statement to check for some of the different conditions instead If statements, which is what I used.  In that case the syntax of the code you posted makes sense.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses
Course of the Month8 days, 22 hours left to enroll

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question