IgNiTeD SoUL

Problem

You want to prevent a user’s password from expiring.

Solution

Using a graphical user interface

1. Open the ADUC snap-in.
2. In the left pane, right-click on the domain and select Find.
3. Select the appropriate domain beside In.
4. Beside Name, type the name of the user you want to modify and click Find Now.
5. In the Search Results window, double-click on the user.
6. Click the Account tab.
7. Under Account options, check the box beside “Password never expires.”
8. Click OK.

Using a command-line interface

> dsmod user “<UserDN>” -pwdneverexpires yes

Using VBScript

‘ This code sets a

users password to never expire

‘ —— SCRIPT CONFIGURATION ——

strUserDN = “<UserDN>” ‘ e.g. cn=rallen,ou=Sales,dc=rallencorp,dc=com

‘ —— END CONFIGURATION ——–

intBit = 65536

strAttr = “userAccountControl”

set objUser = GetObject(“LDAP://” & strUserDN)

intBitsOrig = objUser.Get(strAttr)

intBitsCalc = CalcBit(intBitsOrig, intBit, TRUE)

if intBitsOrig <> intBitsCalc then

objUser.Put strAttr, intBitsCalc

objUser.SetInfo

WScript.Echo “Changed ” & strAttr & ” from ” & _

intBitsOrig & ” to ” & intBitsCalc

else

WScript.Echo “Did not need to change ” & strAttr & ” (” & _

intBitsOrig & “)”

end if

Discussion

Setting a user’s password to never expire overrides any password aging policy you’ve defined in the domain. To disable password expiration, you need to set the bit equivalent of 65536 (i.e., 10000000000000000) in the userAccountControl attribute of the target user.

Problem

You want to require a user to change his password the next time he logs on to the domain.

Solution

Using a graphical user interface

1. Open the ADUC snap-in.
2. In the left pane, right-click on the domain and select Find.
3. Select the appropriate domain beside In.
4. Beside Name, type the name of the user you want to modify and click Find Now.
5. In the Search Results window, double-click on the user.
6. Click the Account tab.
7. Under Account options, check the box beside “User must change password at next logon.”
8. Click OK.

Using a command-line interface

You can configure the “User must change password” using either DSMod or AdMod. To modify this setting using DSMod, use the following syntax:

> dsmod user “<UserDN>” -mustchpwd yes

For AdMod, do the following:

> admod b “<UserDN>” pwdLastSet::0

Using VBScript

‘ This code sets the flag that requires a

user to change their

password

‘ —— SCRIPT CONFIGURATION ——

strUserDN = “<UserDN>” ‘ e.g. cn=rallen,ou=Sales,dc=rallencorp,dc=com

‘ —— END CONFIGURATION ——–

set objUser = GetObject(“LDAP://” & strUserDN)

objUser.Put “pwdLastSet”, 0

objUser.SetInfo

WScript.Echo “User must change password at next logon: ” & strUserDN

Discussion

When a user changes her password, a timestamp is written to the pwdLastSet attribute of the user object. When the user logs in to the domain, this timestamp is compared to the maximum password age that is defined by the Domain Security Policy to determine if the password has expired. To force a user to change her password at next logon, set the pwdLastSet attribute of the target user to zero, and verify that the user’s account doesn’t have the “password never expires” option enabled.

To disable this option so that a user does not have to change her password, set pwdLastSet to -1. These two values (0 and -1) are the only ones that can be set on the pwdLastSet attribute.

Problem

You want to disable a user’s ability to change her password.

Solution

Using a graphical user interface

1. Open the ADUC snap-in.
2. In the left pane, right-click on the domain and select Find.
3. Select the appropriate domain beside In.
4. Beside Name, type the name of the user you want to modify and click Find Now.
5. In the Search Results window, double-click on the user.
6. Click the Account tab.
7. Under Account options, check the box beside “User cannot change password.”
8. Click OK.

Using a command-line interface

> dsmod user <UserDN> -canchpwd no

Using VBScript

‘ This code disables a user’s ability to change

password

‘ —— SCRIPT CONFIGURATION ——

strUserDN = “<UserDN>” ‘ e.g. cn=rallen,ou=Sales,dc=rallencorp,dc=com

‘ —— END CONFIGURATION ———

Const ACETYPE_ACCESS_DENIED_OBJECT = 6

Const ACEFLAG_OBJECT_TYPE_PRESENT = 1

Const RIGHT_DS_CONTROL_ACCESS = 256

Const CHANGE_PASSWORD_GUID = “{ab721a53-1e2f-11d0-9819-00aa0040529b}”

set objUser = GetObject(“LDAP://” & strUserDN)

set objSD = objUser.Get(“ntSecurityDescriptor”)

set objDACL = objSD.DiscretionaryAcl

‘ Add a deny ACE for Everyone

set objACE = CreateObject(“AccessControlEntry”)

objACE.Trustee = “Everyone”

objACE.AceFlags = 0

objACE.AceType = ACETYPE_ACCESS_DENIED_OBJECT

objACE.Flags = ACEFLAG_OBJECT_TYPE_PRESENT

objACE.ObjectType = CHANGE_PASSWORD_GUID

objACE.AccessMask = RIGHT_DS_CONTROL_ACCESS

objDACL.AddAce objACE

‘ Add a deny ACE for Self

‘ (This is only necessary to prevent a

user from

‘ changing their own password.)

set objACE = CreateObject(“AccessControlEntry”)

objACE.Trustee = “Self”

objACE.AceFlags = 0

objACE.AceType = ACETYPE_ACCESS_DENIED_OBJECT

objACE.Flags = ACEFLAG_OBJECT_TYPE_PRESENT

objACE.ObjectType = CHANGE_PASSWORD_GUID

objACE.AccessMask = RIGHT_DS_CONTROL_ACCESS

objDACL.AddAce objACE

objSD.DiscretionaryAcl = objDACL

objUser.Put “nTSecurityDescriptor”, objSD

objUser.SetInfo

WScript.Echo “Enabled no password changing for ” & strUserDN

Discussion

Even though in the GUI solution you check and uncheck the “User cannot change password” setting, actually making the change in Active Directory is a little more complicated as is evident in the VBScript solution. Not allowing a user to change her password consists of setting two deny Change Password ACEs on the target user object. One deny ACE is for the Everyone account and the other is for Self.

The VBScript solution should work as is, but it is not very robust in terms of checking to see if the ACEs already exist and making sure they are in the proper order. If you need to make the code more robust, we suggest checking out MS KB 269159 for more information on setting ACEs properly.

Problem

You want to set the password for a user.

Solution

Using a graphical user interface

1. Open the ADUC snap-in.
2. In the left pane, right-click on the domain and select Find.
3. Select the appropriate domain beside In.
4. Type the name of the user beside Name and click Find Now.
5. In the Search Results window, right-click on the user and select Reset Password.
6. Enter and confirm the new password.
7. Click OK.

Using a command-line interface

This command changes the password for the user specified by <UserDN>.Using * after the -pwd option prompts you for the new password. You can replace * with the password you want to set, but it is not a good security practice since other users that are logged into the machine may be able to see it.

> dsmod user <UserDN> -pwd *

You can also use admod with the #setpwd# switch, as follows:

> admod -b “<UserDN>” #setpwd#::<NewPassword>

You can also modify the unicodepwd attribute directly by encrypting the admod connection using the kerbenc switch, as follows:

> admod b “<UserDN>” unicodepwd::<Password> -kerbenc

Using VBScript

‘ This code sets the password for a user.

‘ —— SCRIPT CONFIGURATION ——

strUserDN = “<UserDN>” ‘ e.g. cn=jsmith,cn=Users,dc=rallencorp,dc=com

strNewPasswd = “<NewPasword>”

‘ —— END CONFIGURATION ——–

set objUser = GetObject(“LDAP://” & strUserDN)

objUser.SetPassword(strNewPasswd)

Wscript.Echo “Password set for ” & objUser.Get(“cn”)

Discussion

A one-way hash of a user’s password is stored in the unicodePwd attribute. There are several supported methods to modify this attribute directly, or you can use one of the supported APIs to do so.

With the VBScript solution, you can use the IADsUser::SetPassword method or IADsUser:: ChangePassword. The latter requires the existing password to be known before setting it. This is the method you’d want to use if you’ve created a web page that accepts the previous password before allowing a user to change it.

Problem

You want to copy one user’s group membership to another user.

Solution

Using a graphical user interface

1. Open the ADUC snap-in.
2. In the left pane, right-click on the domain and select Find.
3. Select the appropriate domain beside In.
4. Beside Name, type the name of the user you want to transfer groups from and click Find Now.
5. In the Search Results window, double-click on the user.
6. Click the Member Of tab.
7. For each group you want to add another user in, do the following:
   1. Double-click on the group.
   2. Click the Members tab.
   3. Click the Add button.
   4. d. Find the user you want to add in the object picker and click OK.
   5. e. Click OK.

Using a command-line interface

The following command line will add <NewUserDN> to all of the groups that <CurrentUserDN> is a member of:

        > for /F "usebackq delims=""" %i in ('dsget user
        "<CurrentUserDN>" -memberof') do dsmod group %i -addmbr "<NewUserDN>"

If you want to get fancy and remove <CurrentUserDN> from each of the groups in the same operation, simply add an -rmmbr option on the end:

        > for /F "usebackq delims=""" %i in ('dsget user
        "<CurrentUserDN>" -memberof') do dsmod group %i -addmbr "<NewUserDN>"
        -rmmbr "<CurrentUserDN>"

Using VBScript

        ' This code adds the "new" user to the groups the "current"
        ' user is a member of
        ' ------ SCRIPT CONFIGURATION -----
        strCurrentUserDN = "<CurrentUserDN>"
        ' e.g. cn=jsmith,ou=Sales,dc=rallencorp,dc=com
        strNewUserDN = "<NewUserDN>"

        ' ------ SCRIPT CONFIGURATION ------

        Const ADS_PROPERTY_APPEND = 3
        set  
objCurrentUser = GetObject("LDAP://" &  
strCurrentUserDN )
        set objNewUser = GetObject("LDAP://" & strNewUserDN )

        on error resume next
        WScript.Echo "Transfering groups from " & strCurrentUserDN & " to " & strNewUserDN
        for each strGroupDN in objCurrentUser.GetEx("memberOf")
           set objGroup = GetObject("LDAP://" & strGroupDN)
           objGroup.PutEx ADS_PROPERTY_APPEND, "member", Array( strNewUserDN )
           objGroup.SetInfo
           if Err then
              WScript.Echo "Error adding user to group: " & strGroupDN
           else
              WScript.Echo "Added user to group: " & strGroupDN
           end if
        next

Discussion

Employees come and go; people take on new responsibilities and move on to new jobs. It is common to have movement within an organization. When this happens, typically someone is replacing the person that is moving on. The new person needs to get up to speed as quickly as possible, including getting accounts set up and access to any necessary resources. A big part of this includes getting added to the correct groups. You can help facilitate this by using one of the processes outlined in the Solution section to help the user gain access to the exact same groups that the former employee was a member of.

One important issue to point out is that the memberOf attribute, which was used in the Solution section to determine a user’s group membership, contains only the groups that are visible to the DC that’s being queried; this can vary depending on whether the DC in question is a Global Catalog and whether the user belongs to any universal groups. Any groups the user is a member of outside of the user’s domain will not be transferred. To transfer universal group membership outside of a domain, you will need to perform a query against the global catalog for all group objects that have a member attribute that contains the DN of the user. You can also search the Global Catalog for the memberOf attribute for a given user to determine a user’s universal group memberships.

Problem

You want to enable or disable a user account.

Solution

Using a graphical user interface

1. Open the ADUC snap-in.
2. In the left pane, right-click on the domain and select Find.
3. Select the appropriate domain beside In.
4. Type the name of the user beside Name and click Find Now.
5. In the Search Results window, right-click on the user and select Enable Account to enable or Disable Account to disable.
6. Click OK.

Using a command-line interface

To enable a user, use the following command:

        > dsmod user <UserDN> -disabled no

To disable a user, use the following command:

        > dsmod user <UserDN> -disabled yes

Using VBScript

        ' This code will enable or disable a user.
        ' ------ SCRIPT CONFIGURATION ------
        ' Set to FALSE to disable account or TRUE to enable account
        strDisableAccount = FALSE
        strUserDN = "<UserDN>" ' e.g. cn=jsmith,cn=Users,dc=rallencorp,dc=com
        ' ------ END CONFIGURATION --------

        set objUser = GetObject("LDAP://" & strUserDN)
        if objUser.AccountDisabled = TRUE then
           WScript.Echo "Account for " & objUser.Get("cn") & " currently disabled"
           if strDisableAccount = FALSE then
              objUser.AccountDisabled = strDisableAccount
              objUser.SetInfo
              WScript.Echo "Account enabled"
           end if
        else
           WScript.Echo "Account currently enabled"
           if strDisableAccount = TRUE then
              objUser.AccountDisabled = strDisableAccount
              objUser.SetInfo
              WScript.Echo "Account disabled"
           end if
        end if

Discussion

Account status is used to control whether a user is allowed to log on or not. When an account is disabled, the user is not allowed to log on to her workstation with the account or to access AD controlled resources.

There is an IADsUser:: AccountDisabled property that allows you to determine and change the status. Set the method FALSE to enable the account or trUE to disable.

Problem

A user is having account lockout problems and you need to determine from where and how it is getting locked out.

Solution

Using a graphical user interface

LockoutStatus is a new program available for Windows 2000 or Windows Server 2003 that can help identify which domain controller’s users are getting locked out. It works by querying the lockout status of a user against all domain controllers in the user’s domain.

To determine the lockout status of a user:

1. Launch LockoutStatus and select File Select Target from the menu.
2. Enter the target user name and the domain of the user.
3. Click OK.

At this point, each domain controller in the domain will be queried and the results will be displayed.

Discussion

The lockoutstatus.exe tool is just one of many that are available in the new ” Account Lockout and Management” toolset provided by Microsoft. These new lockout tools are intended to help administrators with account lockout problems that were very difficult to troubleshoot given the tools available under Windows 2000.Along with the tool mentioned in the Solution section, here are a few others that are included in the set:

ALockout.dll

A script that uses this DLL called EnableKerbLog.vbs (included with the toolset), can be used to enable logging of application authentication. This can help identify applications that are using bad credentials and causing account lockouts.

ALoInfo.exe

Displays services and shares that are using a particular account name. It can also print all the users and their password age.

NLParse.exe

A filter tool for the netlogon.log files. You can use it to extract just the lines that relate to account lockout information.

EventCombMT

A utility to parse Event Logs from multiple servers, either to collect all entries together or to search for individual events across multiple computers. This is extremely useful when troubleshooting user account lockouts, for example, by determining which computer is causing the account lockout.

All of the new Account Lockout tools can be downloaded from:

http://microsoft.com/downloads/details.aspx?familyid=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

Problem

You want to copy an existing user account, which may be serving as a template, to create a new account.

Solution

Using a graphical user interface

1. Open the ADUC snap-in.
2. In the left pane, browse to the parent container of the template user object.
3. In the right pane, right-click on the user and select Copy.
4. Enter the name information for the new user and click Next.
5. Enter a password, check any options you want enabled, and click Next.
6. Click Finish.

Using VBScript

        ' This code copies the attributes in the Attrs array from an
        ' existing object to a new one.
        ' ------ SCRIPT CONFIGURATION ------
        arrAttrs = Array("department","co","title","l", "c", "st")
        strParentDN = "<ParentContainer>" ' e.g. cn=Users,dc=rallencorp,dc=com
        strTemplateUser = "<TemplateUserName>" ' e.g. template-user-sales
        strNewUser = "<NewUserName>" ' e.g. jdoe
        strPassword = "<Password>"
        ' ------ END CONFIGURATION ---------

        Const ADS_UF_NORMAL_ACCOUNT = 512 ' from ADS_USER_FLAG_ENUM

        Set objTemplate = GetObject("LDAP://cn=" & strTemplateUser & _
                                    "," & strParentDN)
        Set objParent = GetObject("LDAP://" & strParentDN)
        Set objUser = objParent.Create("user", "cn=" & strNewUser)

        objUser.Put "sAMAccountName", strNewUser

        for each strAttr in arrAttrs
           objUser.Put strAttr, objTemplate.Get(strAttr)
        next

        objUser.SetInfo
        objUser.SetPassword(strPassword)
        objUser.SetInfo

        objUser.Put "userAccountControl", ADS_UF_NORMAL_ACCOUNT
        objUser.AccountDisabled = FALSE
        objUser.SetInfo

        WScript.Echo "Successfully created user"

Discussion

Copying a user consists of copying the attributes that are common among a certain user base, which can include department, address, and perhaps even organizational information. ADUC actually uses attributes that are marked in the schema as “Copied when duplicating a user” to determine which attributes to copy. The VBScript solution just used a hard-coded set of attributes.

Using a graphical user interface

To copy a user in ADUC, you have to browse to the user object. If you locate the user by using Find instead, the Copy option is not available when right-clicking a user in the search results window.

Using VBScript

ADSI has a CopyHere method, but it is available only for the NDS provider. It was not implemented for the LDAP provider and so copying a user via a single method is not supported.

Problem

You want to move a user object to a different container or OU.

Solution

Using a graphical user interface

1. Open the ADUC snap-in.
2. If you need to change domains, right-click on “Active Directory Users and Computers” in the left pane, select Connect to Domain, enter the domain name, and click OK.
3. In the left pane, right-click on the domain and select Find.
4. Type the name of the user and click Find Now.
5. In the Search Results window, right-click on the user and select Move.
6. Browse to and select the new parent container or OU.
7. Click OK.

In Windows Server 2003 and above, you can also drag and drop objects from one container or OU into another.

Using a command-line interface

You can move an object using either the built-in DSMove utility or AdMod. DSMove takes the following syntax:

        > dsmove "<UserDN>" -newparent "<NewParentDN>"

To move an object using AdMod, do the following:

        > admod -b "<Current User DN>" -move "<New Parent DN>"

Using VBScript

        ' This code moves a user from one container to another.
        ' ------ SCRIPT CONFIGURATION ------
        strUserDN = "<UserDN>"    ' e.g. cn=rallen,cn=users,dc=rallencorp,dc=com
        strOUDN = "<NewParentDN>" ' e.g. ou=Sales,dc=rallencorp,dc=com
        ' ------ END CONFIGURATION ---------
        Set objUser = GetObject("LDAP://" & strUserDN)
        Set objOU = GetObject("LDAP://" & strOUDN)
        objOU.MoveHere objUser.ADsPath, objUser.Name

Discussion

Moving a user object between OUs in the same domain has no direct impact on the actual user in terms of any security or distribution groups that the user is a member of. The only thing to be cautious of is the impact of moving the user to a new OU that may have different security settings or GPOs applied to it.

Problem

You want to set one or more of the user profile attributes.

Solution

Using a graphical user interface

1. Open the ADUC snap-in.
2. In the left pane, right-click on the domain and select Find.
3. Select the appropriate domain beside In.
4. Beside Name, type the name of the user and click Find Now.
5. In the Search Results window, double-click on the user.
6. Click the Profile tab.
7. Modify the various profile settings as necessary.
8. Click OK.

Using a command-line interface

You can update a user’s profile attributes using either DSMod or AdMod. DSMod uses the following syntax:

        > dsmod user "<UserDN>" -loscr < 
ScriptPath> -profile < 
ProfilePath>
        -hmdir <HomeDir> -hmdrv <DriveLetter>

AdMod uses the following syntax:

        > admod b "<UserDN>" <attribute>::<NewValue>

Using VBScript

        ' This code sets the various profile related attributes for a user.
        strUserDN = "<UserDN>" ' e.g. cn=jsmith,cn=Users,dc=rallencorp,dc=com
        set objUser = GetObject("LDAP://" & strUserDN)
        objUser.Put " 
homeDirectory", "\\fileserver\" & objUser.Get("sAMAccountName")
        objUser.Put " 
homeDrive", "z:"
        objUser.Put "profilePath", "\\fileserver\" & _
                    objUser.Get("sAMAccountName") & "\profile"
        objUser.Put "scriptPath", "login.vbs"
        objUser.SetInfo
        Wscript.Echo "Profile info for " & objUser.Get("sAMAccountName") & " updated"

Discussion

The four attributes that make up a user’s profile settings include the following:

homeDirectory

UNC path to home directory

homeDrive

Drive letter (e.g., Z:) to map home directory

profilePath

UNC path to profile directory

scriptPath

Path to logon script

When you set the homeDirectory attribute, the folder being referenced needs to already exist.