Rob Hutchinson
asked on
Domain user accounts, and making sure default password is changed.
Hello,
We have a standard Microsoft based corporate network setup:
Image the desktop computers, add to domain, login the user's login, get their email, printers, etc setup; then have them change the default password creating their own password for their domain login.
What is happening though is that the desktop techs forget to get the users to change their password; or( before giving the computer to the user) forget to put the checkmark back in their AD account( user account properties > Account tab > Account options: > [ ] User must change password at next login.
Is there someway to check/enforce this via a network/microsoft policy in case the default password never gets changed?
Thanks,
We have a standard Microsoft based corporate network setup:
Image the desktop computers, add to domain, login the user's login, get their email, printers, etc setup; then have them change the default password creating their own password for their domain login.
What is happening though is that the desktop techs forget to get the users to change their password; or( before giving the computer to the user) forget to put the checkmark back in their AD account( user account properties > Account tab > Account options: > [ ] User must change password at next login.
Is there someway to check/enforce this via a network/microsoft policy in case the default password never gets changed?
Thanks,
You can either re-tick the box again or change password policy and tell all passwords to expire after x days. This will force your users to change passwords more often and thus not stick with the default password.
You could run a script like:
Change the variables on lines 4 and 5 to be your domain and password. Save it as a VBScript file (i.e. "CheckPassword.vbs") and run it. It will prompt you for the username you want to check and tell you if the password is valid or not.
You could also modify the script to check all users in your domain, or a list of users from a text file, etc.
Option Explicit
Const ADDS_SECURE_AUTHENTICATION = 1
Const strDomain = "mydomain.local" ' Change this to your domain
Const strPassword = "mypassword" ' Change this to the password you want to check
Dim strUsername
strUsername = InputBox("Username?")
If CheckCredentials(strDomain, strUsername, strPassword) Then
MsgBox("Credentials are valid.")
Else
MsgBox("Credentials are invalid.")
End If
Function CheckCredentials(Domain, Account, Password)
On Error Resume Next
Dim objIADS
Set objIADS = GetObject("WinNT:").OpenDSObject("WinNT://" & Domain & "/" & Account & ",user" , Account, Password, ADDS_SECURE_AUTHENTICATION)
If err.number = 0 then
CheckCredentials = True
Else
CheckCredentials = False
End If
End Function
Change the variables on lines 4 and 5 to be your domain and password. Save it as a VBScript file (i.e. "CheckPassword.vbs") and run it. It will prompt you for the username you want to check and tell you if the password is valid or not.
You could also modify the script to check all users in your domain, or a list of users from a text file, etc.
ASKER
Yeh, was hoping that there is some group policy to make sure that the default password is no longer used, or to check that a password change has occured under the user accounts.
And maybe specific instructions to implement the group policy to check when the last password change was made for new accounts, then force a password change if the default password is detected as being used.
There is already a policy in place to make the users change their password every 90 days, but it's making sure that they change the password on new AD accounts if the tick box does not get checked like it should.
And maybe specific instructions to implement the group policy to check when the last password change was made for new accounts, then force a password change if the default password is detected as being used.
There is already a policy in place to make the users change their password every 90 days, but it's making sure that they change the password on new AD accounts if the tick box does not get checked like it should.
ASKER
@ N-W
Not to check whether or not the account/password is valid or not, but just to check to see if the password used is the original user account default. Then make sure that the user is prompted to change that password.
I guess the script could be run on all accounts to check if the known default password is being used...then the user will be forced to change the default password to a new password.
Almost like a behind the scenes script that automatically periodically checked that the default user password was not still being used by a user.
Not to check whether or not the account/password is valid or not, but just to check to see if the password used is the original user account default. Then make sure that the user is prompted to change that password.
I guess the script could be run on all accounts to check if the known default password is being used...then the user will be forced to change the default password to a new password.
Almost like a behind the scenes script that automatically periodically checked that the default user password was not still being used by a user.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Awesome, thx tons. A lot easier than manually doing this =)
ASKER
Awesome, thx tons. A lot easier than manually doing this =)