PowerShell Ezine, Logon Scripts

Guy's Scripting Ezine 50 - pwdLastSet

Contents for Guy's Scripting Ezine 50 - pwdLastSet

This week’s secret

This time last year, I never thought that we would get to 50 editions of my ezine.  Next week I am planning to celebrate with an ebook of all 50 ezines, naturally it will be free.  My only worry is making sure that all subscribers get a copy and that is why I set the default ezine to plain text this week.  So if you don't like plain text then please edit your preferences.

Last week I could not help noticing that 5 emails in a row came from people whose first language was not English.  I felt humble because I cannot speak, let alone write, in French, German, Spanish or Italian.  My other feeling was how lucky I am to be raised in a country whose language has been adopted by much of the web.

ˆ

This week's theme is readers' letters

One of the true joys of editing an ezine is opening the letters that people send in. Your readers' letters really compliment my rough and ready style with my, 'let's get started' mantra. On the one hand, I guess people feel nothing is too simple to write about, while on the other hand people are not shy to point out improvements to my scripts. Here are some examples that I would like to share with you.

Ulrich P has sent in a neat improvement for my Set Password Script.  In fact, Ulrich's VBScript is the main feature this week's ezine.

Stéphane has send me the URL of his site which creates custom ActiveX components.  I would like to know more of this application of VBscript myself.

Mark P. emailed me with the worlds toughest  800 code error: 0x80041001  "Call failed".  This wins the biscuit for the most obscure and least helpful of the code error messages.  In fact the whole 080041xxx series are all pretty low on information.  I will investigate and post any updates in my Code 800 section of the computerperformance.co.uk web site.

John G.  Has finally found a way of mapping printers before users logon.  This is his idea:
rundll32 printui.dll,PrintUIEntry /b "DisplayPrinterName on http" /x /n "part of the n switch" /if /f %windir%\inf\ntprint.inf /r
"http: //hostname/printers/sharename/.printer" /m "printer name"

ˇ

This week's mission - master pwdLastSet

Suppose you want to force users to change their passwords at next logon.  The secret is to employ pwdLastSet = 0 which triggers Active Directory to display the change password dialog box.  One tactic could be that you could email new users with an 'easy' password, but then ensure they secure their user account by choosing a new password which is only known to themselves.

Instructions

  1. Important: Which OU will use?  My script uses OU=accounts.  Either create such an OU, or change the script to reflect YOUR ou=????????.
  2. Make sure the OU has 2 or 3 users.  If you test the script on a server, grant the users the right to logon locally.  (Make them a member of the Server Operators group).
  3. Copy and paste the script below into notepad.
  4. Save the file with .vbs extension e.g. PwdLastSet.vbs.
  5. Double click and examine the message boxes.
  6. Attempt to logon as a user in your OU=

 

 

' PwdLastSet.vbs
' Example VBScript to FORCE a user's password change
' Author Ulrich P amended by Guy Thomas
' Version 2.0 - October 17th 2004
' ---------------------------------------------------------'
Option Explicit
Dim objOU, objUser, objRootDSE
Dim strContainer, strLastUser, strDNSDomain, strPassword
Dim intCounter, intAccValue, intPwdValue

Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")
intAccValue = 544
intPwdValue = 0

' --------------------------------------------------------'
' Important change OU= to reflect your domain
' --------------------------------------------------------'

strContainer = "OU=Accounts, "
strPassword = "P@ssw0rd"

' -------------------------------------------------------'
' Makes the user change P@ssw0rd at first logon
' -------------------------------------------------------'

strContainer = strContainer & strDNSDomain

set objOU =GetObject("LDAP://" & strContainer )
intCounter = 0
For each objUser in objOU
If objUser.class="user" then
objUser.SetPassword strPassword
objUser.SetInfo

objUser.Put "pwdLastSet", intPwdValue
objUser.SetInfo

objUser.Put "userAccountControl", intAccValue
objUser.SetInfo
intCounter = intCounter +1
strLastUser = objUser.Get ("name")
End if
next

WScript.Echo strPassword & " is Password. UserAccountValue = " _
& intAccValue
WScript.Quit

'  End of Script

Learning Points

Note 1: The change password part of the script was featured in Ezine 23, I have now added an extra section which sets UserAccountControl values.

Note 2: In order to work properly, UserAccountControl = 544 must also have: pwdLastSet = 0.  Do feel free to experiment with other UserAccountControl settings.  If you find anything interesting do let me know.

Note 3: If you are troubleshooting your own script, check strContainer = "OU=Accounts, "
Also if you are testing on a server, ensure that the user can logon locally.

Note 4: Try the script without the following two lines.  (I use an ' [apostrophe] to rem out the lines.)

objUser.Put "pwdLastSet", intPwdValue
objUser.SetInfo

Note 5: When you set pwdLastSet to zero it forces users to change their passwords at next logon.

Note 6: Admire the construction:  For Each... next.

Note 7: The statement:  If objUser.class="user" then..  is designed to filter out users from other objects such as computers.  Did you spot the End if?

Note 8: Experiment with variations of the WScript.Echo command.

Summary pwdLastSet

PwdLastSet is a useful addition to your changing password toolkit.  What this command does is force users to change their password at next logon.  Naturally, to get the user to change their password, you need to set a value of zero.

Computer Training Software - Recommended Training VideosGuy Thomas recommends Computer Training Software

Their topics and material are ideal for getting you started with VBScript.  The videos are easy to follow and you can control the pace.  Try their free demo material and then see if you want to buy the full package. See more about VB Script Training CD.

 *

Google

WebComputerperformance.co.uk

GFi Events Manager

Guy Recommends: GFi EventsManager

Here is a solution to monitor, manage and archive thousands of events that are generated by devices across your entire network.  Get your free evaluation copy of GFI EventsManager.

 

Home Copyright © 1999-2008 Computer Performance LTD All rights reserved

Please report a broken link, or an error.