2k Adminpak with 2003 AD? 1

[bofhrevenge2]

Hi all,

I've been informed in the 2k pro forum that the 2k Adminpak is not "recommended" for 2003 AD. Are there some tasks that are strictly not recommended?

Here's the story, I’ve delegated change password rights to an OU for a group of users. I have then created a very restricted taskpad that only allows them to see users in this OU and only to change passwords and this seems to work ok. Can I get away with this as long as I don't use the 2k Adminpak to alter 2003 group policies?

Does anyone else use a 2k admin taskpad to allow 2k users to reset passwords?

Any advice greatly appreciated here.

Cheers.

 

[markdmac]

As long as you are not editing GPOs I don't believe you will have any problems.

You might however consider somthing a little more custom such as using a web page to do this. You could create a web page to first enumerate all of your users and present them in a drop down box. Have an input box for the password and have a script that runs behind the scenes to reset the password.

Using this method you would not have to worry about local software at all.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[bofhrevenge2]

Hi Mark thanks for the reply, I have actually tried to get a web page running to do this before but I’ve never quite got it right.
Do you know of any good sights that can provide me with info on how to do this.

My AD is setup so all of the students are listed under several OU's

Domain
- Users
- Students
- 98
- 99
- 00

and so on. Will it be possible to use a script to enumerate all of the users in just these OU's?

Thanks.

 

[bofhrevenge2]

I have a vbscript that will reset a users password would it be possible to have a script for each OU and then a dropdown menu in a webpage that will call the correct script?

What do you think?

Cheers.

 

[markdmac]

If you have a working script, you could modify it to make it work in a web page to do what you are looking for. Post your script and I will give you a hand.

Would you prefer a drop down or a box to fill in the name?

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[djtech2k]

You could also do this with a batch file if you package it with the AD command-line management tools.

-DJ

 

[bofhrevenge2]

Hmm i'm not actually sure that this is going to do the job it looks like i would have to enter the username into the script each time, rather than it asking for the username.


Set objUser = GetObject _
("LDAP://cn=GuidoT,ou=Worcester,dc=cp,dc=com")
objUser.SetPassword "gU1d0*!"

I'm looking for something that is going to ask for the CN.

Any ideas?

 

[markdmac]

The script can be written to take the login name and return the full distinguished name.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[bofhrevenge2]

Yes of course, i'll drag my vbscript book out and mabe post in the VB forum when i can't get it to work.

Cheers Mark.

 

[markdmac]

This was fun to write for you. Here is the code you need.

You can convert the vbscript input boxes to html input boxes etc, or just run this as vbscript.

'==========================================================================
'
' NAME: ResetPasswordFromUsername.vbs
'
' AUTHOR: Mark D. MacLachlan , The Spider's Parlor
' URL: [URL unfurl="true"]http://www.thespidersparlor.com[/URL]
' DATE  : 3/4/2005
'
' COMMENT: <comment>
'
'==========================================================================
Dim objuser, newpass, UserLDAP, lngFlag
Const ADS_UF_DONT_EXPIRE_PASSWD = &H10000

Set objuser = GetObject(GetandBind)

newpass = InputBox("enter the new password")
changenextlogin = InputBox("Require User to change password at next logon?" & _
                            vbCrLf & "Y or N" & vbCrLf & _ 
                            "Default is Yes")



objUser.SetPassword newpass

If Ucase(left(changenextlogin,1)) <> "N" Then
    objUser.Put "PwdLastSet", 0
End If

objUser.SetInfo

lngFlag = objUser.Get("userAccountControl")
If (lngFlag And ADS_UF_DONT_EXPIRE_PASSWD) <> 0 Then
lngFlag = lngFlag Xor ADS_UF_DONT_EXPIRE_PASSWD
objUser.Put "userAccountControl", lngFlag
objUser.SetInfo
End If


Public Function GetandBind

Dim strname, UserLDAP, UserLDAPString

strname = InputBox("enter the username")

	UserLDAP = "LDAP://" & SearchDistinguishedName(strname)

	On Error Resume Next   
	Set objUser = GetObject(UserLDAP)
	If Err <> 0 Then
		MsgBox "Invalid user ID. User not Found."
		GetandBind
	End If
	On Error GoTo 0
	MsgBox userLDAP

	GetandBind = UserLDAP

End Function



Public Function SearchDistinguishedName(ByVal vSAN)
    ' Function:     SearchDistinguishedName
    ' Description:  Searches the DistinguishedName for a given SamAccountName
    ' Parameters:   ByVal vSAN - The SamAccountName to search
    ' Returns:      The DistinguishedName Name
    Dim oRootDSE, oConnection, oCommand, oRecordSet

    Set oRootDSE = GetObject("LDAP://rootDSE")
    Set oConnection = CreateObject("ADODB.Connection")
    oConnection.Open "Provider=ADsDSOObject;"
    Set oCommand = CreateObject("ADODB.Command")
    oCommand.ActiveConnection = oConnection
    oCommand.CommandText = "<LDAP://" & oRootDSE.get("defaultNamingContext") & _
        ">;(&(objectCategory=User)(samAccountName=" & vSAN & "));distinguishedName;subtree"
    Set oRecordSet = oCommand.Execute

    On Error Resume Next
    SearchDistinguishedName = oRecordSet.Fields("DistinguishedName")
    On Error GoTo 0
    oConnection.Close
    Set oRecordSet = Nothing
    Set oCommand = Nothing
    Set oConnection = Nothing
    Set oRootDSE = Nothing
End Function

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[bofhrevenge2]

Wow thanks Mark, i'll give it a try when i get back to work on monday.

 

[bofhrevenge2]

Mark that script works like a charm thank you very much, it's exactly what i was after.

There is just one other thing that would make it perfect :~/ if a user runs the script then doesn't change a password the box just will not go away, any idea how to get rid other than CTRL ALT DEL?

If not don't worry it's a small price to pay for such a handy script, thanks once again.

 

[markdmac]

Sorry I am not following you. Are you saying you want a way to terminate the script? How about TaskMan and stop WSCRIPT.EXE.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[bofhrevenge2]

If a member of staff runs the script then decides they don't want to change a password clicking the close box in the corner doesn't get rid of the box, it just errors and returns the box.

Don't worry about it Mark it's fine, i've told them to stop moaning and not to run it unless they intend to change a password.

Thanks.

 

[markdmac]

Add this to the script

If strname ="" Then
WScript.Quit
End If

Add it directly under the line:
strname = InputBox("enter the username")

Then tell your user to not enter a user name and they can hit OK and it will exit.

Do the same here to allow a null password to exit the script:

newpass = InputBox("enter the new password")
If newpass ="" Then
WScript.Quit
End If


I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[bofhrevenge2]

Yep brilliant thank you very much Mark.

 

[bofhrevenge2]

Mark there are a couple of other high schools in the area that i'm sure would love to look at this script, do you mind if I let them? With credit to your good self of course.

 

[markdmac]

Not a problem, I've posted it for public use.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[bofhrevenge2]

Thanks.