Jump to content

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Find out more here. X
X


Photo

Password Reset utility for non-admins.

password reset administration domain

  • Please log in to reply
15 replies to this topic

#1 blckpythn

blckpythn

    Adventurer

  • Active Members
  • PipPip
  • 149 posts

Posted 15 February 2013 - 10:28 PM

I help manage several networks, and get a lot of password reset request for students and such.
So instead of making some of the staff admins, I found a creative way of giving them the ability to reset passwords.

This is obviously for Active Directory domains only, and requires the AD.au3 UDF.

They must be part of the group listed in the ini(if you use my method), and the group must have the delegate permission for setting a user's password in AD.
Search for Delegate Control of an OU.
Also, if you log to a server share like I did, make sure both share and NTFS permissions are opened up.

Only tested on Server 2003, 2008, and Win 7

I'm open to constructive criticism, especially if anyone know another way for having the input field recognize that the enter key was pressed.

If you download the txt, change it to an .ini file, it wouldn't let me upload an ini...


AutoIt         
#Region ;**** Directives created by AutoIt3Wrapper_GUI **** #AutoIt3Wrapper_Icon=..\CompInfo\Control-Panel.ico #AutoIt3Wrapper_Add_Constants=n #EndRegion ;**** Directives created by AutoIt3Wrapper_GUI **** #comments-start --INFO ; ; User's must have permission and be part of the group listed in the Clients.ini under Paset. ; #comments-end ----INFO ; #include #include #include #include #include #include ; #region ----------------------------------Variables and Prep ; Global $iniPath = @ScriptDir & "\Clients.ini" Global $sLogMsg ; Global $iniLog = IniRead($iniPath, @LogonDomain, "DestPath", False) If $iniLog = "False" Then ConsoleWrite("Can't read DestPath from INI!" & @CRLF) Else $iniLog = $iniLog & "\Paset.log" EndIf ; _AD_Open() If @error Then ConsoleWrite("Function _AD_Open encountered a problem. @error = " & @error & ", @extended = " & @extended & @CRLF) MsgBox(0, "Error with AD Open", "Function _AD_Open encountered a problem. @error = " & @error & ", @extended = " & @extended) Exit EndIf ; Global $iniPasetGroup = IniRead($iniPath, @LogonDomain, "Paset", False) ; If $iniPasetGroup = "False" And _AD_IsMemberOf("Domain Admins", @UserName, True) <> 1 Then _FileWriteLog($iniLog, @UserName & " attempted to run the Paset utility.") MsgBox(0, "Error", "Domain not authorized or INI file read error.") _AD_Close() Exit EndIf ; Global $iniPass = IniRead($iniPath, @LogonDomain, "DePass", False) If $iniPass = "False" Or "" Then $iniPass = "Welcome.1" Global $iniLog = IniRead($iniPath, @LogonDomain, "DestPath", False) If $iniLog = "False" Then ConsoleWrite("Can't read DestPath from INI!" & @CRLF) Else $iniLog = $iniLog & "\Paset.log" EndIf ; #endregion ----------------------------------Variables and Prep ;----------------------------------------- #region ----------------------------------Building the GUI -Live ; $gcPaset = GUICreate("Password Reset Utility", 280, 480, -1, -1) GUISetIcon("C:\Users\admin\Downloads\Sugar\CompInfo\Control-Panel.ico", -1, $gcPaset) ; $glUsers = GUICtrlCreateList("", 10, 10, 260, 270) GUICtrlCreateLabel("Please enter a username to search for.", 15, 290, 250, 20, $SS_CENTER) ; $giUsername = GUICtrlCreateInput("*", 10, 330, 200, 25) ; $gbSearch = GUICtrlCreateButton("Search", 220, 330, 50, 25) ; $glError = GUICtrlCreateLabel("Passwords are reset to: " & $iniPass, 40, 370, 200, 50, $SS_CENTER) GUICtrlSetColor(-1, 0x0000FF) ; $gbClose = GUICtrlCreateButton("Close", 10, 440, 100, 25) ; $gbReset = GUICtrlCreateButton("Reset Password", 130, 430, 140, 40) GUICtrlSetFont(-1, 10, 600) ; GUISetState(@SW_SHOW, $gcPaset) ; #endregion ----------------------------------Building the GUI -Live ;----------------------------------------- #region ----------------------------------Live Code ; While 1 If _IsPressed("0D") = 1 Then List_Users() $Msg = GUIGetMsg() Switch $Msg Case $gbSearch List_Users() Case $gbReset ResetPass() Case $GUI_EVENT_CLOSE, $gbClose _Exit() EndSwitch WEnd ; #endregion ----------------------------------Live Code ;----------------------------------------- #region ----------------------------------Functions ; Func ResetPass() ;~ GUICtrlSetData($glError, "") $sTarget = GUICtrlRead($glUsers) If $sTarget = "" Then GUICtrlSetData($glError, "Please select a user first.") Return EndIf ConsoleWrite($sTarget & @CRLF) If _AD_IsObjectLocked($sTarget) = 1 Then _AD_UnlockObject($sTarget) _AD_SetPassword($sTarget, $iniPass, 1) If @error Then MsgBox(0, "Uh Oh!", "Sorry, either you do not have permission to reset that user's password or an unknown error occurred.") _FileWriteLog($iniLog, @UserName & " failed to reset " & $sTarget & "'s password.") Else GUICtrlSetData($glError, $sTarget & "'s password was reset to " & $iniPass) _FileWriteLog($iniLog, @UserName & " reset " & $sTarget & "'s password.") EndIf EndFunc ;==>ResetPass ; Func List_Users() GUICtrlSetData($glUsers, "") If GUICtrlRead($glError) <> "Passwords are reset to: " & $iniPass Then GUICtrlSetData($glError, "Passwords are reset to: " & $iniPass) Local $sUser = GUICtrlRead($giUsername) ;~ ConsoleWrite($sUser & @CRLF) ;InputBox("Test", "User account(s) to search for." & @CRLF & "Wildcards are allowed.", "*", "", 300, 150, Default, Default, Default) If $sUser <> "*" Then $sUser = "*" & $sUser & "*" ;~ If @error = 1 Then Return Local $aUser = _AD_GetObjectsInOU("", "(&(objectcategory=person)(Samaccountname=" & $sUser & "))", 2, "samaccountname, description") If @error = 3 Then GUICtrlSetData($glError, "No Users Found!") ;~ MsgBox(16, "Test", "No user accounts found using the specified search pattern!") Else ;~ _ArrayDisplay($aUser, "List of user accounts", -1, 0, "", "|", "|SamAccountName|Description") For $i = 1 To $aUser[0][0] GUICtrlSetData($glUsers, $aUser[$i][0]) Next EndIf Return 1 EndFunc ;==>List_Users ; Func _Exit() GUIDelete($gcPaset) _AD_Close() Exit EndFunc ;==>_Exit ; #endregion ----------------------------------Functions

Attached Files









#2 water

water

    ?

  • MVPs
  • 15,369 posts

Posted 15 February 2013 - 11:57 PM

Script looks good at first glance!
I would suggest to replace all "ConsoleWrite" with "MsgBox" so you can compile the script and distribute it to the users without the need for a full AutoIt install.
UDFs:
Active Directory (NEW 2014-07-21 - Version 1.4.1.1) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2014-07-27 - Version 1.0.0.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2013-01-21 - Version 0.3.1.1) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
Tutorials:
ADO - Wiki

#3 JohnOne

JohnOne

    John

  • Active Members
  • PipPipPipPipPipPip
  • 12,585 posts

Posted 16 February 2013 - 12:18 AM

I'm open to constructive criticism, especially if anyone know another way for having the input field recognize that the enter key was pressed.

Input knows by default if enter was pressed.

#include <guiconstantsex.au3> GUICreate("gui") $Input = GUICtrlCreateInput("",10,10) GUISetState() Do     $msg = GUIGetMsg()     If $msg = $Input Then         MsgBox(0,"Input",GUICtrlRead($Input))     EndIf Until $msg = $GUI_EVENT_CLOSE


just add text and hit enter.

AutoIt Absolute Beginners Require a serial
 
 
OMG! Women are the cows of people.


#4 blckpythn

blckpythn

    Adventurer

  • Active Members
  • PipPip
  • 149 posts

Posted 16 February 2013 - 04:11 PM

Input knows by default if enter was pressed.


Ah! That's perfect, thank you!

I would suggest to replace all "ConsoleWrite" with "MsgBox" so you can compile the script and distribute it to the users without the need for a full AutoIt install.


Most of those ConsoleWrites are there from testing, just to confirm that it is pulling the right value and such. I have a label that updates with some functions for the user to see the errors.

#5 guinness

guinness

    all-consuming swarm in inconspicuous disguise

  • Developers
  • 17,335 posts

Posted 16 February 2013 - 11:45 PM

A log file would be more appropriate in that case.

Example List: _AdapterConnections()_AlwaysRun()_AppMon()_AppMonEx()_BinaryBin()_CheckMsgBox()_CmdLineRaw()_ContextMenu()_ConvertLHWebColor()/_ConvertSHWebColor()_DesktopDimensions()_DisplayPassword()_Fibonacci()_FileCompare()_FileCompareContents()_FileNameByHandle()_FilePrefix/SRE()_FindInFile()_GetBackgroundColor()/_SetBackgroundColor()_GetConrolID()_GetCtrlClass()_GetDirectoryFormat()_GetDriveMediaType()_GetFilename()/_GetFilenameExt()_GetHardwareID()_GetIP()_GetIP_Country()_GetOSLanguage()_GetSavedSource()_GetStringSize()_GetSystemPaths()_GetURLImage()_GIFImage()_GoogleWeather()_GUICtrlCreateGroup()_GUICtrlListBox_CreateArray()_GUICtrlListView_CreateArray()_GUICtrlListView_SaveCSV()_GUICtrlListView_SaveHTML()_GUICtrlListView_SaveTxt()_GUICtrlListView_SaveXML()_GUICtrlMenu_Recent()_GUICtrlMenu_SetItemImage()_GUICtrlTreeView_CreateArray()_GUIDisable()_GUIImageList_SetIconFromHandle()_GUIRegisterMsg()_GUISetIcon()_Icon_Clear()/_Icon_Set()_IdleTime()_InetGet()_InetGetGUI()_InetGetProgress()_IPDetails()_IsFileOlder()_IsGUID()_IsHex()_IsPalindrome()_IsRegKey()_IsStringRegExp()_IsSystemDrive()_IsUPX()_IsValidType()_IsWebColor()_Language()_Log()_MicrosoftInternetConnectivity()_MSDNDataType()_PathFull/GetRelative/Split()_PathSplitEx()_PrintFromArray()_ProgressSetMarquee()_ReDim()_RockPaperScissors()/_RockPaperScissorsLizardSpock()_ScrollingCredits_SelfDelete()_SelfRename()_SelfUpdate()_SendTo()_ShellAll()_ShellFile()_ShellFolder()_SingletonHWID()_SingletonPID()_Startup()_StringCompact()_StringIsValid()_StringRegExpMetaCharacters()_StringReplaceWholeWord()_StringStripChars()_Temperature()_TrialPeriod()_UKToUSDate()/_USToUKDate()_WinAPI_Create_CTL_CODE()_WinAPI_CreateGUID()_WMIDateStringToDate()/_DateToWMIDateString()Au3 script parsingAutoIt SearchAutoIt3 PortableAutoIt3WrapperToPragmaAutoItWinGetTitle()/AutoItWinSetTitle()CodingDirToHTML5FileInstallrGeoIP databaseGUI - Only Close ButtonGUI ExamplesGUICtrlDeleteImage()GUICtrlGetBkColor()GUICtrlGetStyle()GUIEventsGUIGetBkColor()LockFile()Mapping CtrlIDsParseHeadersToSciTE()PasswordValidPasteBinPosts Per DayPreExpandQueue()Resource UpdateResourcesExSciTE JumpSettings INISHELLHOOKShunting-YardSignature CreatorStack()Stopwatch()StringAddLF()/StringStripLF()StringEOLToCRLF()VSCROLLWM_COPYDATAMore Examples...
Updated: 30/07/2014


#6 lewisg

lewisg

    Seeker

  • Active Members
  • 38 posts

Posted 18 February 2013 - 02:27 PM

The schools I work with have their AD setup for student accounts grouped under "Students" then divided by graduation year. I use Waters function _AD_GetOUTreeView along with his wonderful AD UDF to create a treeview. There the user (i.e. Secretarys) can select the user (not shown for privicy) and change the password or disable/enable accounts.

Posted Image

#7 water

water

    ?

  • MVPs
  • 15,369 posts

Posted 18 February 2013 - 02:45 PM

Great use of the _AD_GetOUTreeView example script!
UDFs:
Active Directory (NEW 2014-07-21 - Version 1.4.1.1) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2014-07-27 - Version 1.0.0.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2013-01-21 - Version 0.3.1.1) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
Tutorials:
ADO - Wiki

#8 blckpythn

blckpythn

    Adventurer

  • Active Members
  • PipPip
  • 149 posts

Posted 18 February 2013 - 03:14 PM

The schools I work with have their AD setup for student accounts grouped under "Students" then divided by graduation year. I use Waters function _AD_GetOUTreeView along with his wonderful AD UDF to create a treeview. There the user (i.e. Secretarys) can select the user (not shown for privicy) and change the password or disable/enable accounts.


That looks fantastic. So far this little charter school doesn't have any student accounts from before this year, so we haven't had a need to sort them that way or provide a enable/disable button.
Plus, only about 5 of our clients are schools, and I wanted this to be universal.
But other than that and the fact that I can't be bothered to show only certain OUs for each domain based on that user's access to them, I kept it simple and redeployable.

#9 water

water

    ?

  • MVPs
  • 15,369 posts

Posted 18 February 2013 - 03:26 PM

Together with chaoticyeshua we sorted out a problem with _AD_HasRequiredRights that now allows to query permissions for an OU. Now it is possible to display just those OUs a user has certain permissions on in _AD_GetOUTreeView.
Disadvantage: It slows down the script considerably.
UDFs:
Active Directory (NEW 2014-07-21 - Version 1.4.1.1) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2014-07-27 - Version 1.0.0.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2013-01-21 - Version 0.3.1.1) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
Tutorials:
ADO - Wiki

#10 lewisg

lewisg

    Seeker

  • Active Members
  • 38 posts

Posted 18 February 2013 - 03:52 PM

That looks fantastic. So far this little charter school doesn't have any student accounts from before this year, so we haven't had a need to sort them that way or provide a enable/disable button.
Plus, only about 5 of our clients are schools, and I wanted this to be universal.
But other than that and the fact that I can't be bothered to show only certain OUs for each domain based on that user's access to them, I kept it simple and redeployable.


It's being used at a few K-12 schools with enrollment in the 1400 - 2000 range. The UDF grabs the user list suprisingly quick, 4 - 9 seconds for about 1750 students.
The enable/disable was a request from one district, don't think it's used much.

It's written so the treeview can start anywhere, even at the root. Even though the district use pretty much the same structure their trees are all different as to how they finally get to "Students". At one time I tried starting at the root and only allowing access to the the branches a user had rights to but two problems appeared, too complicated and perhaps worst, default system users and groups showing up that I couldn't figure out how to filter out........hint...hint...hint....Water <GRIN>

#11 water

water

    ?

  • MVPs
  • 15,369 posts

Posted 18 February 2013 - 04:06 PM

If you set parameter $bAD_Display = True you can pass a complete LDAP query as parameter $sAD_Category. So a query that excludes the system users/groups is needed.
Will ask Google ...
UDFs:
Active Directory (NEW 2014-07-21 - Version 1.4.1.1) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2014-07-27 - Version 1.0.0.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2013-01-21 - Version 0.3.1.1) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
Tutorials:
ADO - Wiki

#12 water

water

    ?

  • MVPs
  • 15,369 posts

Posted 18 February 2013 - 04:15 PM

If you set $sAD_Category to "(&(objectCategory=person)(objectClass=user))" do you still get system users?
UDFs:
Active Directory (NEW 2014-07-21 - Version 1.4.1.1) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2014-07-27 - Version 1.0.0.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2013-01-21 - Version 0.3.1.1) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
Tutorials:
ADO - Wiki

#13 lewisg

lewisg

    Seeker

  • Active Members
  • 38 posts

Posted 18 February 2013 - 04:30 PM

If you set $sAD_Category to "(&(objectCategory=person)(objectClass=user))" do you still get system users?


Sweet!! No system users......works perfect.

#14 water

water

    ?

  • MVPs
  • 15,369 posts

Posted 18 February 2013 - 04:46 PM

I'm not at my windows PC at the moment. Do you have an example of a system group you want to filter?
UDFs:
Active Directory (NEW 2014-07-21 - Version 1.4.1.1) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2014-07-27 - Version 1.0.0.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2013-01-21 - Version 0.3.1.1) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
Tutorials:
ADO - Wiki

#15 lewisg

lewisg

    Seeker

  • Active Members
  • 38 posts

Posted 18 February 2013 - 05:02 PM

I'm remoting into work from home, but the test I did using your suggested filter above does just what I need. No system groups/users showing. Thanks.

EDIT: My apologies to blckpythn for hijacking his post.

Edited by lewisg, 18 February 2013 - 05:41 PM.


#16 blckpythn

blckpythn

    Adventurer

  • Active Members
  • PipPip
  • 149 posts

Posted 19 February 2013 - 02:39 PM

EDIT: My apologies to blckpythn for hijacking his post.


No worries, I think I'll use that as well!





Also tagged with one or more of these keywords: password reset, administration, domain

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users