Solved

Powershell - Set Passwort depend on group membership or AD - Attributes

Posted on 2013-05-31
7
539 Views
Last Modified: 2013-06-03
hi,

i like to check some attributes in AD and depend on the result, i like
to RESET the password or not

1. AD Attribute CannotChangePassword = false               then PW-RESET
2. User member of GROUP "ADG" = false                       then PW-RESET
3.User has in CSV column action "AdAccount" = true      then PW-RESET

Here only the part of the script:


 
 
{$_.Version -eq "MSXC2010" -and $_.aktion -eq "New"} {}  # from CSV
  
$PW = (Get-ADUser -identity $user.userid -properties * ) | Select-Object CannotChangePassword
If ($PW -like "false") {  

$GROUP = (Get-ADUser -identity $user.userid  -Properties *).MemberOf -split (",")
If ($group -like "false") {  

$NewPassword = $user.userid.Insert(5,"$")
$NewPassword = $newPassword.Insert(3,"C")
$NewPassword = $newPassword.Remove(0, 1)
$newPassword = $newPassword.Insert(0,"Z")        
Set-ADAccountPassword -Identity $user.userid -Reset -NewPassword (ConvertTo-SecureString -AsPlainText $newPassword -Force) 
                           
                                                          
} else {
                               
{$_.Version -eq "MSXC2010" -and $_.action -eq "AdAccount"} {
                              
$NewPassword = $user.UserId.Insert(5,"!")
$NewPassword = $newPassword.Insert(3,"k")
$NewPassword = $newPassword.Remove(0, 1)
$newPassword = $newPassword.Insert(0,"P")        
Set-ADAccountPassword -Identity $user.UserId -Reset -NewPassword (ConvertTo-SecureString -AsPlainText $newPassword -Force) 
                              
                               }

            }

Open in new window



My script still not working. Could anybody help?

appreciate for your help
mandy
0
Comment
Question by:Mandy_
  • 4
  • 3
7 Comments
 
LVL 39

Expert Comment

by:footech
ID: 39212026
You can change lines 4-5 like below.
$PW = (Get-ADUser -identity $user.userid -properties * ).CannotChangePassword
If ($PW -eq "$false") {

Open in new window

You can change lines 7-8 like below.
$GROUP = (Get-ADUser -identity $user.userid -Properties *).MemberOf | % { ($_ -split ",")[0] } | Where { $_ -eq "CN=ADG" }
If (!($GROUP)) {

Open in new window


You already have the portion for #3.
0
 
LVL 2

Author Comment

by:Mandy_
ID: 39212655
Hi footech, hi ,

thank you for your answer. I recreate the script as you can see  below. Unfortunately
i can move to Group or not or set AD "CannotChangePassword" the password
will be reset.

What i exactly want is:

1. If for one or more of the User the Attribute "CannotChangePassword" are set (true)
No PW-RESET ! All other User PW-RESET !

2. If one or more of the User are Member of the Group "ADG" - No PW-RESET
all other user PW-RESET


We come into the script with all user because all user always in the CSV has the value "MSCX2010"

Then we ask
If 1 and 2 are true - NO PW RESET
If only one True - NO PW RESET
If all false - PW-RESET

In the 2nd Part we asked only for the CSV value "ADAccount" in action if this true = PW-RESET
Never has a user with "ADACCOUNT" a MailboxAccount or is group member or has
set the Passwort Attribute "CannotChangePassword"

 
{$_.Version -eq "MSXC2010" -and $_.aktion -eq "New"} { 
                                $PW = (Get-ADUser -identity $user.userid -properties * ).CannotChangePassword
                                If ($PW -eq "$true") {
                                $GROUP = (Get-ADUser -identity $user.userid -Properties *).MemberOf | % { ($_ -split ",")[0] } | Where { $_ -eq "CN=ASG" }
                                 If (!($GROUP)) {
                               
                               $NewPassword = $user.userid.Insert(5,"$")
                               $NewPassword = $newPassword.Insert(3,"L")
                               $NewPassword = $newPassword.Remove(0, 1)
                               $newPassword = $newPassword.Insert(0,"Z")        
                               Set-ADAccountPassword -Identity $user.userid -Reset -NewPassword (ConvertTo-SecureString -AsPlainText $newPassword -Force) 
                               write-host -ForegroundColor yellow "Password of $($user.UserId) has been set to $newPassword"
                              
                               $searcher=New-Object DirectoryServices.DirectorySearcher
                               $searcher.Filter="(&(samaccountname=Z000001))"
                               $results=$searcher.findone()
                               [datetime]::fromfiletime($results.properties.pwdlastset[0])
                              
                              # }                                          
                               } else {
                               
                              
                               {$_.Version -eq "MSXC2010" -and $_.aktion -eq "AdAccount"} 
                              
                               $NewPassword = $user.UserId.Insert(5,"$")
                               $NewPassword = $newPassword.Insert(3,"L")
                               $NewPassword = $newPassword.Remove(0, 1)
                               $newPassword = $newPassword.Insert(0,"Z")        
                               Set-ADAccountPassword -Identity $user.UserId -Reset -NewPassword (ConvertTo-SecureString -AsPlainText $newPassword -Force) 
                               write-host -ForegroundColor magenta "Password of $($user.UserId) has been set to $newPassword"
                              
                               $searcher=New-Object DirectoryServices.DirectorySearcher
                               $searcher.Filter="(&(samaccountname=Z000001))"
                               $results=$searcher.findone()
                               [datetime]::fromfiletime($results.properties.pwdlastset[0])

Open in new window


The last thing for now this pw checker i like to have for all user specific on the screen
like set:  User Z000001  Last PW Reset at Samstag, 1. June 2013 09:49:43
 
$searcher=New-Object DirectoryServices.DirectorySearcher
$searcher.Filter="(&(samaccountname=$user.userid))"
$results=$searcher.findone()
[datetime]::fromfiletime($results.properties.pwdlastset[0])

Open in new window


appreciate for your help
mandy
0
 
LVL 2

Author Comment

by:Mandy_
ID: 39212668
The 2nd and really last thing i've forgot is to check before if the user has a only web-based

MailAccount.  In this case the user are only in databases includes the Word "WEB".

So first we check DATABASE = "WEB" then should move this user to other database

If the User department = "EMC" then move to database DBEMC001 until DBEMC0045

If the department not EMC but database WEB then move to DB0020 until DB0040

All other user passed this part and enable/disable Mailbox and so on

I tried it with this one below but without success

Import-Module ActiveDirectory 
ForEach ($User in  Import-Csv "c:\import1.csv"){ #$user}
      switch($user){
            {$_.Version -eq "MSXC2010" -and $_.aktion -eq "new"} {

            
                 
                  $DBuser = (Get-ADUser -identity $user.UserID).department
                  If ($DBuser -like "*EMC*") {
                        $db = "DBEMC00$("{0:00}" -f (1..43 | Get-random))"
                    
                    $WEBuser = (Get-Mailbox -Identity $user.userid | Select-Object Database)
                    If ($Webuser -like "*WEB*") {
                    move-mailbox -Identity $user.user.id -TargetDatabase $DB -BadItemLimit 15 -PreserveMailboxSizeLimit:$true -Confirm: $false
                    }
                    else { 
                    move-mailbox -Identity $user.user.id -TargetDatabase DB0040 -BadItemLimit 15 -PreserveMailboxSizeLimit:$true -Confirm: $false
                    }
                    else { 
                    Enable-Mailbox -Identity $user.UserId -Database $db
                    }
                    else { 
                        Enable-Mailbox -Identity $user.UserId

Open in new window



Could you pls give an advice to take the best way to resolve this problem.
Thank you so much
appreciate for your help
mandy
0
How does your email signature look on mobiles?

Do your employees use mobile devices to reply to emails? With mobile becoming increasingly important to the business world, it is in your best interest to make sure that your email signature looks great across all types of devices.

 
LVL 39

Accepted Solution

by:
footech earned 500 total points
ID: 39213670
In answer to your post http:#a39212655
Do you really have a column header of "aktion", or is it supposed to be "action"?  Sometimes I see you using one, and sometimes the other.
Are you checking group "ADG" or "ASG"?  Your last code had "ASG".

There was a small error in my previous post.  When checking whether a value is a boolean true or false, there aren't any quotes around "$true" or "$false".  So you could use either
If ($PW -eq $false)  or even If (!($PW))
                            If ($_.Version -eq "MSXC2010" -and $_.aktion -eq "New") { 
                                $PW = (Get-ADUser -identity $user.userid -properties * ).CannotChangePassword
                                If ($PW -eq $false) {
                                    $GROUP = (Get-ADUser -identity $user.userid -Properties *).MemberOf | % { ($_ -split ",")[0] } | Where { $_ -eq "CN=ADG" }
                                    If (!($GROUP)) {
                               
                                        $NewPassword = $user.userid.Insert(5,"$")
                                        $NewPassword = $newPassword.Insert(3,"L")
                                        $NewPassword = $newPassword.Remove(0, 1)
                                        $newPassword = $newPassword.Insert(0,"Z")        
                                        Set-ADAccountPassword -Identity $user.userid -Reset -NewPassword (ConvertTo-SecureString -AsPlainText $newPassword -Force) 
                                        write-host -ForegroundColor yellow "Password of $($user.UserId) has been set to $newPassword"
                              
                                        "User {0}  Last PW Reset at {1}" -f $user.userid,((Get-ADUser $user.userid -properties PasswordLastSet).PasswordLastSet)
                              
                                    }                                          
                                }
                            } elseif ($_.Version -eq "MSXC2010" -and $_.aktion -eq "AdAccount") {
                              
                                $NewPassword = $user.UserId.Insert(5,"$")
                                $NewPassword = $newPassword.Insert(3,"L")
                                $NewPassword = $newPassword.Remove(0, 1)
                                $newPassword = $newPassword.Insert(0,"Z")        
                                Set-ADAccountPassword -Identity $user.UserId -Reset -NewPassword (ConvertTo-SecureString -AsPlainText $newPassword -Force) 
                                write-host -ForegroundColor magenta "Password of $($user.UserId) has been set to $newPassword"
                              
                                "User {0}  Last PW Reset at {1}" -f $user.userid,((Get-ADUser $user.userid -properties PasswordLastSet).PasswordLastSet)
                            }

Open in new window

0
 
LVL 39

Expert Comment

by:footech
ID: 39213678
In answer to post http:#a39212668

This question was started in regards to criteria for resetting passwords.  For help with problems moving, or enabling/disabling  mailboxes, etc., please start a new question.  Otherwise this question becomes too difficult and confusing to follow.  Plus, other experts may be able to give you better advice in regards to that problem.
0
 
LVL 2

Author Comment

by:Mandy_
ID: 39214023
thank you!  i moved the other question to new one.

I checked your code and the first part running fine. But if ya like only AdAccount (Password reset in the 2nd part nothing happens.

I create this behind and everything working fine now. What you think about?

       {$_.Version -eq "MSXC2010" -and $_.aktion -eq "AdAccount"}  {
                              
                                $NewPassword = $user.UserId.Insert(5,"$")
                                $NewPassword = $newPassword.Insert(3,"L")
                                $NewPassword = $newPassword.Remove(0, 1)
                                $newPassword = $newPassword.Insert(0,"z")        
                                Set-ADAccountPassword -Identity $user.UserId -Reset -NewPassword (ConvertTo-SecureString -AsPlainText $newPassword -Force) 
                                write-host -ForegroundColor magenta "Password of $($user.UserId) has been set to $newPassword"
                              
                                "User {0}  Last PW Reset at {1}" -f $user.userid,((Get-ADUser $user.userid -properties PasswordLastSet).PasswordLastSet)

                                }
                               # }
                                #} else {
                              
                                {$_.Version -eq "MSXC2010" -and $_.aktion -eq "New"} {
                               
                                
                                $PW = (Get-ADUser -identity $user.userid -properties * ).CannotChangePassword
                                If ($PW -eq $false) {
                                $GROUP = (Get-ADUser -identity $user.userid -Properties *).MemberOf | % { ($_ -split ",")[0] } | Where { $_ -eq "CN=AGS" }
                                If (!($GROUP)) {
                               
                                $NewPassword = $user.userid.Insert(5,"$")
                                $NewPassword = $newPassword.Insert(3,"L")
                                $NewPassword = $newPassword.Remove(0, 1)
                                $newPassword = $newPassword.Insert(0,"z")        
                                Set-ADAccountPassword -Identity $user.userid -Reset -NewPassword (ConvertTo-SecureString -AsPlainText $newPassword -Force) 
                                write-host -ForegroundColor yellow "Password of $($user.UserId) has been set to $newPassword"
                              
                                "User {0}  Last PW Reset at {1}" -f $user.userid,((Get-ADUser $user.userid -properties PasswordLastSet).PasswordLastSet)
                              
                                }                                          
                           
                                }
                                
                                
                                
                               
                               }
                              
      }
 
}

Open in new window

0
 
LVL 39

Expert Comment

by:footech
ID: 39214160
Looking at some of the other code you've posted, it looks like you may be using a switch statement to check for some of the different conditions instead If statements, which is what I used.  In that case the syntax of the code you posted makes sense.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now