Active Directory Rights

Discussion in 'Software' started by mikey1120, Oct 19, 2006.

  1. mikey1120

    mikey1120 Private E-2

    Here's an interesting one: In Active Directory, I am looking for a way to allow a non-admin user to change another user's password without giving them other rights such as create/delete. If possible, I'd also like to limit which users this person could change passwords on (i.e. - Will not be able to change any admin user's passwords). I'm going to guess the best way to do this would be through a command prompt. My Server is Windows 2000 SP4.

    Thanks in advance!
     
    mikey1120, Oct 19, 2006
    #1
  2. Mada_Milty

    Mada_Milty MajorGeek

    I don't know if AD provides this kind of functionality natively, but I have written a script to reset a user's password...

    Perhaps you could do something similar, and assign NTFS permissions on the script?

    I'd gladly post my code, if you like....
     
    Mada_Milty, Oct 19, 2006
    #2
  3. mikey1120

    mikey1120 Private E-2

    Sure, at this point I'm open to any suggestions. Thanks for the reply!
     
    mikey1120, Oct 19, 2006
    #3
  4. Mada_Milty

    Mada_Milty MajorGeek

    Code:
    Option Explicit

'**************************************************************************
'*				Variable Declaration And Initialization
'**************************************************************************

Dim o_filesys, o_log, o_shell, o_leaf, o_office, o_floor
Dim v_logtext, v_reply, v_flag

Const c_logpath = "\\cglfileshare\data\logs\pwdresets.txt"

Set o_filesys = CreateObject ("Scripting.FileSystemObject")
Set o_log = o_filesys.opentextfile (c_logpath, 8, True)
Set o_shell = WScript.CreateObject("WScript.Shell")
Set o_office = GetObject("LDAP://OU=Users, OU=Office, OU=CGL, DC=corp, DC=cglmfg, DC=com")
Set o_floor = GetObject("LDAP://OU=Users, OU=MFGFloor, OU=CGL, DC=corp, DC=cglmfg, DC=com")

'**************************************************************************
'*				Function Definition
'**************************************************************************

Sub write_log (p_logtext)
	v_logtext = CStr(Now()) + " - " + p_logtext
	o_log.writeline (v_logtext)
End Sub

Sub get_valid_user_name ()
	v_reply = vbyes
	Do Until v_reply = vbno
		v_flag = False
		Do Until v_flag = True 
			v_reply = InputBox ("Please Enter The User Name:", "Enter User Name")
			If v_reply = "" Then
				WScript.Quit()
			End If
			For Each o_leaf In o_office
				If (LCase(o_leaf.userprincipalname) = LCase(v_reply + "@corp.cglmfg.com")) Then
					v_flag = True
					Exit For
				End If
			Next
			If v_flag = False Then
				For Each o_leaf In o_floor
					If (LCase(o_leaf.userprincipalname) = LCase(v_reply + "@corp.cglmfg.com")) Then
						v_flag = True
						Exit For
					End If
				Next
			End If
			If v_flag = False Then
				o_shell.popup "Sorry, " + v_reply + " does not match any user names.", _
				5, "Invalid User Name", vbokonly + vbexclamation
			End If
		Loop
		o_leaf.setpassword "password"
		o_leaf.put "PwdLastSet", 0
		o_leaf.setinfo
		o_shell.popup "Password for " + v_reply + " reset.", 5, "Password Reset", vbinformation
		write_log ("Password for " + v_reply + " reset.")
		v_reply = MsgBox ("Would you like to reset another?", vbquestion + vbyesno, "Another?")
	Loop 
End Sub

'**************************************************************************
'*				Main Program Execution
'**************************************************************************

get_valid_user_name()
    Here's what this does:

    1. It creates a few objects to work with. These include:
    - A filesystem object, so I can interact with files and folders
    - A text file object that I use as a log
    - A shell object so that I can interact with the Windows GUI, such as sending keys to the active window, run programs
    - An object for each of the OUs in our directory that contain user objects

    2. This script will then prompt the user to enter a user name, and check that it is valid by checking each account. There may be security risks introduced here. If there are administrative accounts in your OUs, you'll want to restrict choosing them as valid users. Our own administrative accounts are in another OU, so its not a concern.

    3. Once a valid account has been found, this is set to change the password to "password", and have the user change it on next login.

    Remember, I've written this with the intention of resetting a forgotten password, which might not exactly match your requirements. Fortunately, this can be tuned for your needs.
     
    Mada_Milty, Oct 19, 2006
    #4
  5. mikey1120

    mikey1120 Private E-2

    Thank you very much for the reply! You've given me more than a starting point and I will be looking into this. :)
     
    mikey1120, Oct 23, 2006
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds