Saturday
Jul172010

Active Directory Password Changer

  • Selectively change passwords for individual or groups of AD accounts
  • Make each password unique and meet complexity requirements
  • Keep a record of each password change

We recently had a need at the grind to change a large number of users' passwords, but not all of them.  We needed to change them in stages, so support could log in as the user and perform some administrative activities. 

We needed unique passwords to be generated for each user.  We identified our first group of users, but knew if we set every password to the same value anyone in the group would know the password of everyone else's account that was reset.  A potential security hole.  Oh no!

Need to reset passwords?  Generate a filename instead.

VBscript's"Scripting.FileSystemObject" has a built-in method called "GetTempName".  It's an excellent way to generate secure passwords.  Its intended use is that it will randomly generate a file name in 8.3 format to which you can presumably pipe output. Best of all you can use this without any knowledge of VBscript.

So why go to this length and not just specify a filename?  Because you can be smug in the fact that no other file will have a name matching what was generated by this method, so no danger of overwriting previous output - or whatever. 

The method generates names in the following aforementioned 8.3 format:

radABCDE.tmp

Where "ABCDE" is a string of random uppercase alphabetic characters and/or numeric characters.  Note that with the inclusion of the 8.3 file naming standard's trailing ".tmp" you've satisfied your special character requirement with the period character. 

So there's lowercase, uppercase, and special characters complexity requirements right there.

Changing passwords for select users

There's a pattern to my scripted solutions:  Two .bat files, usually a single .vbs, an "answer" file, and a "results" file.  Let's call 'em PasswordChanger.bat, PasswordChanger2.bat, PasswordChanger.vbs, PasswordChangerAnswer.txt, and PasswordChangerResults.txt.

  • PasswordChangerAnswer.txt - populate this with usernames whose passwords you want to change.  No spaces or other special characters, please!
  • PasswordChanger.bat - uses the "for" command to execute your PasswordChanger2.bat script against every user account in your "answer file".
  • PasswordChanger2.bat - This is doing the work of actually changing the passwords.
  • PasswordChanger.vbs - Generates the random password.  Echoes it to the terminal so it can be captured in a .txt file.
  • PasswordChangerResults.txt - This is a log of the userid's you've changed along with the random passwords that were generated

Here's the contents of PasswordChanger.bat.  It goes through your answer file and runs your remaining scripts against each one - piping the output to a .txt file:

 

Here's the contents of PasswordChanger.vbs script your first .bat calls.  It generates a random filename and then prints it to the screen with the corresponding username:

Here's the final script - the last of seven lines of code needed for the entire solution.  It does the work of changing the password:

Save all five files to the same directory, in the example: \\ryanboyer.net\PasswordChanger\ .

I suggest you give sufficient time for intrasite replication to complete as the password changes appear to be queued up rather than ran on demand.  If you really want quick results run the script off a domain controller. Be sure you're executing as someone with sufficient permissions to modify the accounts.