Tutorial for Setting userAccountControl
When a new account is born, especially if you created it with CSVDE, it will be disabled. By resetting
the userAccountControl to 512, you can enable any Active Directory account. However, there is another factor, and that is giving the enabled account a password so that its user can logon. Topics for
Setting userAccountControl
Our mission is provide the users with a valid logon name and password. To be successful, we must not only enable the account, but also set a
suitable password. What
my Example script will do is enable not one account, but enable all accounts in a particular OU. The crucial command userAccountControl = 512. Because of Windows 2003's increased security, our script
may encounter obstacles. For example, the default Domain Group Policy demands complex passwords with at least 8 characters.
Indeed, if the Domain policy enforces 8 characters and we try to enable an account with a null password, the result is this error message, 'The server is unwilling to process the request.'
Fortunately, we have the answer, we can script a new password at the same time we enable the account. We can even set the accounts so that users must change their password at first logon. Our
Plans
Master the LDAP attribute, userAccountControl
Set the password, and force the user to change password at next logon.
PrerequisitesEither, you could logon as an administrator (best), or you could run this script on an XP machine as a non-administrator. I do believe in making life easy, so avoid
complications and try Remote Desktop, rather than executing the script from an XP or other client.
Instructions for setting userAccountControl - You should run this VBScript on a Windows Active Directory domain.
- Copy and paste the example script below into notepad or a VBScript editor.
- Decide whether to change the value for strContainer. Naturally, to be effective you need to create a user or two in the OU specified by strContainer.
- Save the file with a .vbs extension, for example: UserAccountControl .vbs.
- Double click UserAccountControl .vbs and check the Users container for strUser.
Sample Script to Set userAccountControl
' UserAccountControl .vbs
' Sample VBScript to enable a user account
' Author Guy Thomas http://computerperformance.co.uk/
' Version 2.0 - May 2005
'
--------------------------------------------------------------'
Option Explicit
Dim objOU, objUser, objRootDSE
Dim strContainer, strLastUser, strDNSDomain, intAccValue
' Bind to Active
Directory Domain
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")
' Here is where we set the value to enable the account
' 512 = Enable, 514 =
Disable.
intAccValue = 512
' -------------------------------------------------------------'
' Important change OU= to reflect your domain
'
-------------------------------------------------------------'
strContainer = "OU=Accounts, "
strContainer = strContainer & strDNSDomain
set objOU =GetObject("LDAP://" & strContainer )
For
each objUser in objOU
If objUser.class="user" then
' The heart of this script - Enable users
objUser.Put "userAccountControl", intAccValue
objUser.SetInfo
End if
next
' End of
Free Sample
UserAccountControl VBScript
Note 1: UserAccountControl needs a numeric value in order to set the account. The two common
values for user accounts are: 512 = enable and 514 = disable
account. If you are scripting computer accounts substitute a value of 4096. See more on creating computer accounts here. Note 2:
Purely for testing, I suggest setting userAccountControl = 514. Then open up Active Directory Users and Computers at the OU that corresponds to strContainer. What you are looking for is a red X
over the account. Naturally,
you could enable the accounts by setting the value back to 512 and running the script again. Incidentally, Active Directory Users and Computers does not always refresh with F5, so right click and
select Refresh from the shortcut menu. Note 3: Do you remember the goal? Our task is to change all accounts in the OU, therefore, observe how VBScript cycles through the "User"
.class of objects with the For each... Next, loop.
' ChangePassword .vbs
' Sample VBScript to force a user to change password at next logon
' Author Guy Thomas http://computerperformance.co.uk/
' Version 1.3 - May
2005
' --------------------------------------------------------------'
Option Explicit
Dim objOU, objUser, objRootDSE, objShell
Dim strContainer, strDNSDomain, strPassword
Dim intCounter,
intAccValue, intPwdValue
' Bind to Active Directory Domain
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")
'
-------------------------------------------------------------'
' Important change OU= to reflect your domain
' -------------------------------------------------------------'
strContainer =
"OU=Accounts, "
strPassword = "P@ssw0rd"
strContainer = strContainer & strDNSDomain
' Here is where we set the value to enable the account
' 512 = Enable, 514 = Disable.
intAccValue = 512
' Here we force a change of password at next logon
intPwdValue = 0
' Loop through OU=, setting passwords for all users
set objOU =GetObject("LDAP://" & strContainer )
For each objUser in
objOU
If objUser.class="user" then
objUser.SetPassword strPassword
objUser.Put "userAccountControl", intAccValue
objUser.Put "PwdLastSet", intPwdValue
objUser.SetInfo
End If
Next
' Optional section to launch Active Directory Uses and Computers
Set
objShell=CreateObject("WScript.Shell")
objShell.Run "%systemroot%\system32\dsa.msc"
WScript.Quit
' End of example: Change Password at next logon VBScript
VBScript Tutorial - Learning Points Note 1: Study lines 32-36 and examine the three commands needed to get the result we want. While the password method uses .SetPassword, the
other two properties, userAccountControl and PwdLastSet, require the .Put method. Note 2: The optional extra section launches the Active Directory Users and Computers snap-in. My idea is twofold, to show that the script has completed, and also to
point you where to check what has happened. The main purpose of userAccountControl is to enable or disable accounts. For users, a value of 512 enables the account, while a value of 514 disables the account and prevents
them logging on. Computers also need a value for userAccountControl, in their case the number is 4096.
Their topics and material are ideal for getting you started with VBScript. The
videos are easy to follow and you can control the pace. Try their free demo material and then see if you want to buy the full package.
See more about VB Script Training CD.
See Also● Force Change of password PwdLastSet ● SetPassword
|
Download my eBook:
Introduction to VBScript - only $6.25
