INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Jobs

Check to see if AD passwords have been changed from a generic

Check to see if AD passwords have been changed from a generic

Check to see if AD passwords have been changed from a generic

(OP)
I have a script that imports a CSV. The CSV contains data that was exported from a database with a list of users. I added a column with the plain text generic passwords that those accounts were set to. The script checks to find which users haven't changed their passwords and creates a CSV of the results and emails it. This works perfectly. The code is:

CODE --> Powershell

##Required for AD Support
Import-Module activedirectory

# List email recipients who should receive the log file
$emailrecipients = "me@somewhere.com"

$ApplicationPath = "C:\Scripts\ParentCheckPasswords\"
$CSVFile = $ApplicationPath + "parents.csv"
$ResultsCSV = $ApplicationPath + "ParentPasswordsResults.csv"

### Deletes previous results file
Remove-Item $ResultsCSV

import-csv $CSVFile | foreach {

        $UserName = $_.ParentID
	$Password = $_.Password
	$Domain = $env:USERDOMAIN

Add-Type -AssemblyName System.DirectoryServices.AccountManagement
$ct = [System.DirectoryServices.AccountManagement.ContextType]::Domain
$pc = New-Object System.DirectoryServices.AccountManagement.PrincipalContext $ct,$Domain
$PasswordChanged = $pc.ValidateCredentials($UserName,$Password)

    IF ($PasswordChanged -eq "False") 
	{ "$UserName,$PasswordChanged" | out-file $ResultsCSV -Append }}

### Create the mail message and add the $Results.csv text file as an attachment###

Send-MailMessage –From server@somewhere.com –To $emailrecipients –Subject "Parent AD Password Check" –Body "Attached is the current list of parents who have not changed their default AD password." -Attachment $ResultsCSV –SmtpServer mail.somewhere.com 

This works. It was created just for testing. However having to export data from a database into a CSV then import it is a step that is unneccesary step now that all is up and running. I'd like the script to query an OU in AD, get all the users and check their passwords and export the results as a CSV.

I have another script that queries an OU (just like I want to do) and sets all those users to never expire the passwords. So I want to use the query process and mix it with the 'check password' process into a script but I just can't get it to work. The 'password never expires' script is:

CODE --> Powershell

### Import AD module
Import-Module ActiveDirectory

$ApplicationPath = "C:\Scripts\ParentPasswordSetNeverExpire\"
$LogFile = $ApplicationPath + "\Log.txt"

### Deletes previous results file
Remove-Item $LogFile

$users = $i = $null

### Specify the location of the OU to find users in
$USERS = Get-ADUser -SearchBase "OU=PARENTS, OU=USERS, DC=domain, DC=local" -filter * -Property UserPrincipalName,PasswordNeverExpires

 ForEach($user in $users) 
  { 
      Set-ADUser -Identity $user.distinguishedName -PasswordNeverExpires:$true
      "Password for $($user.name) has been set to never expire" | out-file -append $LogFile
      $i++ 
 } 

The merged script that doesn't work is:

CODE --> Powershell

##Required for AD Support
Import-Module activedirectory

# List email recipients who should receive the log file
$emailrecipients = "me@somewhere.com"

$ApplicationPath = "C:\Scripts\ParentCheckPasswords\"
$CSVFile = $ApplicationPath + "parents.csv"
$ResultsCSV = $ApplicationPath + "ParentPasswordsResults.csv"

### Deletes previous results file
IF ( (Test-Path "$ResultsCSV") -eq $true )
{ Remove-Item $ResultsCSV }

$users = $i = $null
### Specify the location of the OU to find users in
#$USERS = Get-ADUser -SearchBase "OU=PARENTS, OU=USERS, DC=domain, DC=local" -filter * -Property UserPrincipalName
$USERS = Get-ADUser -SearchBase "OU=test-steve, DC=grammar, DC=local" -filter *

 ForEach($user in $users) 
  { 
	$Password = "Password1"
	$Domain = $env:USERDOMAIN
	Add-Type -AssemblyName System.DirectoryServices.AccountManagement
	$ct = [System.DirectoryServices.AccountManagement.ContextType]::Domain
	$pc = New-Object System.DirectoryServices.AccountManagement.PrincipalContext $ct,$Domain
	$PasswordChanged = $pc.ValidateCredentials($User,$Password)

    IF ($PasswordChanged -eq "False") 
	{ "$User,$PasswordChanged" | out-file $ResultsCSV -Append 
      $i++ 
 }
}

### Create the mail message and add the $Results.csv text file as an attachment###
Send-MailMessage –From server@somewhere.com –To $emailrecipients –Subject "Parent AD Password Check" –Body "Attached is the current list of parents who have not changed their default AD password." -Attachment $ResultsCSV –SmtpServer mail.somewhere.com 

But I get an error saying that the $ResultsCSV file isn't created (which it isn't) so it's not outputting any data. I can confirm that there are users in that OU who don't have passwords of Password1 which is what it's checking against.

Any ideas how to get this to work?

RE: Check to see if AD passwords have been changed from a generic

I think you are really over thinking this. Compare the whenCreated and pwdLastSet values. If they are different then you know the password was reset.

I hope that helps.

Regards,

Mark

Check out my scripting solutions at http://www.thespidersparlor.com/vbscript

Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Resources

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close