Posts Tagged ‘Active Directory’

I’ve had a need to reset password’s for accounts on an automated basis more so recently than before, so not knowing where to start, I took a look around the internet and found some pieces of code here and there that would start to fulfill my needs.

Basically, I was setting up an 802.11x authenticated wireless network, and had a requirement to automate the password change of a RADIUS authenticated Guest account that was sat in a locked down OU in the domain. This then needed to be random, secure and e-mailed to a public folder so that the employees could give their guests access to the guest network. The script just needs to be added to a scheduled task to run monthly. So I eventually ended up with this:

import-module activedirectory

[int] $len = 12
[string] $chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
$bytes = new-object "System.Byte[]" $len
$rng = new-object System.Security.Cryptography.RNGCryptoServiceProvider
$result = ""
for( $i=0; $i -lt $len; $i++ )
$result += $chars[ $bytes[$i] % $chars.Length ] 

$securestring = ConvertTo-securestring $result -asplaintext -force

get-aduser "GuestUserName" | set-adaccountpassword -newpassword $securestring

$month= get-date -format MMMM

###Sets the mail values
$FromAddress = ""
$ToAddress = ""
$MessageSubject = "New Wireless Guest Details for $month"
$MessageBody = "Username: GuestUserName          Password: $result"
$SendingServer = ""

###Create the mail message and add the statistics text file as an attachment
$SMTPMessage = New-Object System.Net.Mail.MailMessage $FromAddress, $ToAddress, $MessageSubject, $MessageBody

###Send the message
$SMTPClient = New-Object System.Net.Mail.SMTPClient $SendingServer

In short:

Line 3: Specifies the number of characters in the generated password.
Line 4: The characters that can be used to generate the password.
Line 17: Reset’s the password on the AD account.
Line 19: Generates the month in long format to add to the e-mail Subject.
Line 22-26: Variables used for sending the e-mail.
Line 29: Generates the e-mail.
Lines 32 & 33: Sends the e-mail.

Having some sites recently migrating from older SBS platforms to the latest 2011 release I found a need for a script to alter the login script settings for all users.

Whilst these days I’m primarily setting login scripts via Group Policy Objects there’s still a need to clean-up and remove the login script path from the user objects in Active Directory.

All of the below scripts need you to run this either on your Domain Controller, or via a machine with the Remote Server Admin Tools (RSAT) installed.

This little 2 liner will remove the currently configured script path for all users:

import-module activedirectory
get-aduser -filter * | set-aduser -scriptpath $null

This one will remove it dependant on user name (which you’ll input within PowerShell):

$username = read-host
import-module activedirectory
get-aduser $username | set-aduser -scriptpath $null

Finally, if you want to change the login script path, you’ll need to replace $null on the last line as per this example:

$username = read-host
import-module activedirectory
get-aduser $username | set-aduser -scriptpath '\\ServerName\Netlogon\script.vbs'

%d bloggers like this: