User managament in AD

Discussion in 'Scripting' started by MarcusB, Mar 5, 2010.

  1. MarcusB

    MarcusB Guest

    I need simple script for our secretary for resetting password, account
    expiration.
    She do not belong to account operator group therefore I need that script
    will be run as another user with rights to change user password etc.
    User and passwor dcould be encoded in script.
    Is there any ready script? It will be nice if script will check if
    account exist and will allow reset password by writing it two
    times(avoid mistakes)

    Doeas any of you have already such vbs script?

    Regards
    Raff
     
    MarcusB, Mar 5, 2010
    #1
    1. Advertisements

  2. MarcusB

    Al Dunbar Guest

    Embedding the credentials of a member of the account operator group in a
    script is more of a risk than giving the secretary exclusive use of an
    operator account created for her and making her accountable for its use.

    If a password were to be changed by your script, you would not have any idea
    who actually made the change. And even if the password was not stored in
    plain text, its presence would be a liability.

    /Al
     
    Al Dunbar, Mar 6, 2010
    #2
    1. Advertisements

  3. MarcusB

    MarcusB Guest

    I do not think it is a bigger risk to embedding creddencials in the
    script. I am encrypting whole script and you can not read it contents
    and she/he to start the script have to know the password, because script
    ask also for password before running.



    Hot to embed credentials to be able to run objUser.SetInfo,. How to make
    script understand that it is different user than the user running the
    script?


    MarcusB
     
    MarcusB, Mar 8, 2010
    #3
  4. MarcusB

    Al Dunbar Guest

    If you are encrypting with screnc.exe that will certainly make it difficult
    to read - but NOT impossible for a determined hacker to decrypt it. Read the
    first paragraph here:

    http://www.microsoft.com/downloads/...67-C447-4873-B1B0-21F0626A6329&displaylang=en
    what password does it ask for? If it is a password hardcoded in the script,
    the determined hacker will know it. If it is the password of the privileged
    account you are using, why not just have your user run the script with
    runasÉ
    If the user has to input a password anyway, the simplest would be to have
    the user run the script with runas. Easiest would be to have a batch file
    build the runas command - the only input from the user would then be the
    password of the account being run as.
     
    Al Dunbar, Mar 9, 2010
    #4
  5. MarcusB

    MarcusB Guest

    What I want is that script will be run by persson who do not have
    "Administrator Account" rights. I will give to that persson login and
    password with such a rights. I want that script will ask for login and
    password and than run it with this credentials. How to do it?
    I do not need include login and password in the script if it so big risk
    aacording you.

    MarcusB
     
    MarcusB, Mar 10, 2010
    #5
  6. MarcusB

    Al Dunbar Guest

    Just so we are clear, if you give a person who does not have administrator
    rights the account name and password of an account that has administrator
    rights (or just account manager rights) then they do have administrator
    rights.

    If you give a user a sufficiently privileged account name and password for
    the purpose of running a script such as you are looking for, and, if you do
    not want that person to logon to that account interactively, you will have
    to do something to prevent that account from logging in interactively
    As I said previously, "Easiest would be to have a batch file build the runas
    command". Here is an example you might be able to adapt to your needs:

    @echo off
    (set/p adminuser=Enter name of privileged account: )
    runas /user:%adminuser% "%~dpn0.vbs"

    If you put the above script in a file called, for example, "setpass.cmd" it
    will first ask the user to enter the name of the privileged account to be
    used. The runas command will prompt for the password of this account, and,
    if entered correctly, will run a script called "setpass.vbs" located in the
    same folder under the credentials of the privileged account.

    If it does not work as I suggest it should, you might need to try some of
    the options of the runas command.

    /Al
     
    Al Dunbar, Mar 11, 2010
    #6
  7. MarcusB

    kj [SBS MVP] Guest

    Create a security group for password resets and delegate the right via the
    wizard at the OU level necessary. then just add the user (secretary) to the
    group and be done with it. Her auditable action will show up in the logs and
    no need to code anything or any such effort.

    Person runs your script under their account and password gets reset
    accordingly. - just as simple as that.
     
    kj [SBS MVP], Mar 23, 2010
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.