Force all user passwords to be changed

I find this one quite useful when customers experience a security breach, and they request that all users are forced to update their passwords. Other accounts can be added to the filter in the where cause if needed (or of course you’ve renamed your administrator account etc).


import-module activedirectory

get-aduser -filter * |
where {$_.samaccountname -ne "Administrator" } |
set-aduser -passwordneverexpires:$False `
-changepasswordatlogon:$true

Automated Password Reset/Change – PowerShell

I’ve had a need to reset password’s for accounts on an automated basis more so recently than before, so not knowing where to start, I took a look around the internet and found some pieces of code here and there that would start to fulfill my needs.

Basically, I was setting up an 802.11x authenticated wireless network, and had a requirement to automate the password change of a RADIUS authenticated Guest account that was sat in a locked down OU in the domain. This then needed to be random, secure and e-mailed to a public folder so that the employees could give their guests access to the guest network. The script just needs to be added to a scheduled task to run monthly. So I eventually ended up with this:

import-module activedirectory

[int] $len = 12
[string] $chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
$bytes = new-object "System.Byte[]" $len
$rng = new-object System.Security.Cryptography.RNGCryptoServiceProvider
$rng.GetBytes($bytes)
$result = ""
for( $i=0; $i -lt $len; $i++ )
{
$result += $chars[ $bytes[$i] % $chars.Length ] 
}
$result

$securestring = ConvertTo-securestring $result -asplaintext -force

get-aduser "GuestUserName" | set-adaccountpassword -newpassword $securestring

$month= get-date -format MMMM

###Sets the mail values
$FromAddress = "Wireless_Guest@some-domain.com"
$ToAddress = "public-folder@some-domain.com"
$MessageSubject = "New Wireless Guest Details for $month"
$MessageBody = "Username: GuestUserName          Password: $result"
$SendingServer = "my.mail-relay.com"

###Create the mail message and add the statistics text file as an attachment
$SMTPMessage = New-Object System.Net.Mail.MailMessage $FromAddress, $ToAddress, $MessageSubject, $MessageBody

###Send the message
$SMTPClient = New-Object System.Net.Mail.SMTPClient $SendingServer
$SMTPClient.Send($SMTPMessage)

In short:

Line 3: Specifies the number of characters in the generated password.
Line 4: The characters that can be used to generate the password.
Line 17: Reset’s the password on the AD account.
Line 19: Generates the month in long format to add to the e-mail Subject.
Line 22-26: Variables used for sending the e-mail.
Line 29: Generates the e-mail.
Lines 32 & 33: Sends the e-mail.

Scripting Cisco ASA via PowerShell? Why not?!

OK, this is something I’ve been using for a while and wanted to share with you, as I’ve been asked for it a couple of times now.

I’ve got a pair of Cisco ASA’s at the perimeter of our network, and I needed a way some time ago to edit it’s configuration in a scripted manner, so, I started looking at PowerShell and SSH connections, and this didn’t get me anywhere, so I started to look at PLINK.exe. PLINK is almost a spin-off from PuTTY, a free remote connection tool that supports SSH. PLINK is scriptable, in that you can pass it a text file, and it’ll run each line of that file as seperate commands. Simply enough, the powershell script below will echo out to a file any commands you need, then start PLINK and run the code. If it’s a system that you’ve not connected to before, and don’t have the key saved in your registry, you’ll be prompted to accept it.

$ASApw = "MyPassword"
$ASAIP = "MyASAIPAddress"
$ASAUser = "MySSHUserName"
$ASAEnablepw = $ASApw

#Modifies the ASA firewall
#Starts by writing a "commands" file#
echo en >>unicode.txt
echo $ASAEnablepw >>unicode.txt
echo "conf t" >>unicode.txt
echo "show run access-group"
echo exit >>unicode.txt
echo exit >>unicode.txt

#Converts the file to ASCII format (separate file)#
$lines = gc "unicode.txt"
$lines | out-file -encoding Ascii -filepath commands.txt

#Using the command file and plink.exe connects and runs the commands #
./plink.exe -ssh -l $ASAUser -pw $ASApw $ASAIP -m commands.txt

#removes the files it created earlier#
del unicode.txt
del commands.txt

In the above example, the ASA will be asked to show it’s running config’s access-group configuration. You’ll need to modify the echo lines to get this to perform other actions (I use this script to modify static mapping entries and access-lists for example). You’ll also need to modify “$ASAIP”,”$ASAUSer” and “$ASApw” with your IP address, SSH Username and SSH password. The script assumes that the enable password matches this, but if not, edit the “$ASAEnablepw”, and add your enable password there. If you don’t like storing password this way (I don’t particularly) then you can always change these to “read-host” to request the entry from the Powershell command line.