Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Domain user accounts, and making sure default password is changed.

Posted on 2014-03-11
7
Medium Priority
?
410 Views
Last Modified: 2014-03-13
Hello,

We have a standard Microsoft based corporate network setup:
Image the desktop computers, add to domain, login the user's login, get their email, printers, etc setup; then have them change the default password creating their own password for their domain login.

What is happening though is that the desktop techs forget to get the users to change their password; or( before giving the computer to the user) forget to put the checkmark back in their AD account( user account properties > Account tab > Account options: > [ ] User must change password at next login.

Is there someway to check/enforce this via a network/microsoft policy in case the default password never gets changed?

Thanks,
0
Comment
Question by:Rob Hutchinson
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 20

Expert Comment

by:Peter Hutchison
ID: 39922190
You can either re-tick the box again or change password policy and tell all passwords to expire after x days. This will force your users to change passwords more often and thus not stick with the default password.
0
 
LVL 8

Expert Comment

by:N-W
ID: 39922226
You could run a script like:
Option Explicit

Const ADDS_SECURE_AUTHENTICATION = 1
Const strDomain = "mydomain.local" ' Change this to your domain
Const strPassword = "mypassword" ' Change this to the password you want to check
Dim strUsername
strUsername = InputBox("Username?")

If CheckCredentials(strDomain, strUsername, strPassword) Then
	MsgBox("Credentials are valid.")
Else
	MsgBox("Credentials are invalid.")
End If

Function CheckCredentials(Domain, Account, Password)
	On Error Resume Next
    Dim objIADS	
	Set objIADS = GetObject("WinNT:").OpenDSObject("WinNT://" & Domain & "/" & Account & ",user" , Account, Password, ADDS_SECURE_AUTHENTICATION)
    If err.number = 0 then
		CheckCredentials = True
	Else
		CheckCredentials = False
	End If
End Function

Open in new window


Change the variables on lines 4 and 5 to be your domain and password. Save it as a VBScript file (i.e. "CheckPassword.vbs") and run it. It will prompt you for the username you want to check and tell you if the password is valid or not.

You could also modify the script to check all users in your domain, or a list of users from a text file, etc.
0
 
LVL 19

Author Comment

by:Rob Hutchinson
ID: 39922230
Yeh, was hoping that there is some group policy to make sure that the default password is no longer used, or to check that a password change has occured under the user accounts.

And maybe specific instructions to implement the group policy to check when the last password change was made for new accounts, then force a password change if the default password is detected as being used.

There is already a policy in place to make the users change their password every 90 days, but it's making sure that they change the password on new AD accounts if the tick box does not get checked like it should.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 19

Author Comment

by:Rob Hutchinson
ID: 39922242
@ N-W

Not to check whether or not the account/password is valid or not, but just to check to see if the password used is the original user account default. Then make sure that the user is prompted to change that password.

I guess the script could be run on all accounts to check if the known default password is being used...then the user will be forced to change the default password to a new password.

Almost like a behind the scenes script that automatically periodically checked that the default user password was not still being used by a user.
0
 
LVL 8

Accepted Solution

by:
N-W earned 2000 total points
ID: 39922323
This script will check the password against all users in the domain and force them to change it if it matches:
Option Explicit

Const ADDS_SECURE_AUTHENTICATION = 1
Const strLDAPDomain = "DC=mydomain,DC=local" ' Change this to your domain
Const strWinDomain = "mydomain.local" ' Change this to your domain
Const strPassword = "mypassword" ' Change this to the password you want to check

Dim objConnection
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Open "Provider=ADsDSOObject;"

Dim objCommand
Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 1000
objCommand.CommandText = "<LDAP://" & strLDAPDomain & ">;" & "(&(objectclass=user)(objectcategory=person));" & "adspath,sAMAccountName"

Dim objRecordSet
Set objRecordSet = objCommand.Execute

Do Until objRecordSet.EOF
	Dim strCurrentUser
	strCurrentUser = objRecordSet.Fields("sAMAccountName").Value
	If CheckCredentials(strWinDomain, strCurrentUser, strPassword) Then
		ForcePasswordChange(objRecordSet.Fields("adspath").Value)
	End If
	objRecordSet.MoveNext
Loop

Function CheckCredentials(Domain, Account, Password)
	On Error Resume Next
    Dim objIADS	
	Set objIADS = GetObject("WinNT:").OpenDSObject("WinNT://" & Domain & "/" & Account & ",user" , Account, Password, ADDS_SECURE_AUTHENTICATION)
    If err.number = 0 then
		CheckCredentials = True
	Else
		CheckCredentials = False
	End If
End Function

Sub ForcePasswordChange(adspath)
	Dim objUser
	Set objUser = GetObject(adspath)
	objUser.put "pwdLastSet", 0
	objuser.setinfo
End Sub

objRecordSet.Close
Set objRecordSet = Nothing
Set objCommand = Nothing
objConnection.Close
Set objConnection = Nothing

Open in new window


You can set it as a scheduled task to run periodically if desired.
0
 
LVL 19

Author Comment

by:Rob Hutchinson
ID: 39928040
Awesome, thx tons. A lot easier than manually doing this =)
0
 
LVL 19

Author Closing Comment

by:Rob Hutchinson
ID: 39928041
Awesome, thx tons. A lot easier than manually doing this =)
0

Featured Post

What’s Wrong with Your Cloud Strategy ?

Even as many CIOs are embracing a cloud-first strategy, the reality is that moving to the cloud is a lengthy process and the end-state is likely to be a blend of multiple clouds—public and private. Learn why multicloud solutions matter in this webinar by Nimble Storage.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In a hurry?.. scroll down to "HERE's HOW TO DO IT" Section. Greetings All, I was going to post this as question/solution, but its seems more appropriate as an article considering its length.  I felt it important to illucidate all the details c…
by Nathan Brom/Bromy2004 Introduction There are numerous websites out there for any different type of program you can imagine.  Of those, you'll need to decide which ones are legitimate and aren't trying to steal your money or infect your comput…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question