Sign in to follow this  
Followers 0
blckpythn

Password Reset utility for non-admins.

16 posts in this topic

I help manage several networks, and get a lot of password reset request for students and such.

So instead of making some of the staff admins, I found a creative way of giving them the ability to reset passwords.

This is obviously for Active Directory domains only, and requires the AD.au3 UDF.

They must be part of the group listed in the ini(if you use my method), and the group must have the delegate permission for setting a user's password in AD.

Search for Delegate Control of an OU.

Also, if you log to a server share like I did, make sure both share and NTFS permissions are opened up.

Only tested on Server 2003, 2008, and Win 7

I'm open to constructive criticism, especially if anyone know another way for having the input field recognize that the enter key was pressed.

If you download the txt, change it to an .ini file, it wouldn't let me upload an ini...

#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_Icon=..\CompInfo\Control-Panel.ico
#AutoIt3Wrapper_Add_Constants=n
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
#comments-start --INFO
;
; User's must have permission and be part of the group listed in the Clients.ini under Paset.
;
#comments-end ----INFO
;
#include
#include
#include
#include
#include
#include
;
#region ----------------------------------Variables and Prep
;
Global $iniPath = @ScriptDir & "\Clients.ini"
Global $sLogMsg
;
Global $iniLog = IniRead($iniPath, @LogonDomain, "DestPath", False)
If $iniLog = "False" Then
ConsoleWrite("Can't read DestPath from INI!" & @CRLF)
Else
$iniLog = $iniLog & "\Paset.log"
EndIf
;
_AD_Open()
If @error Then
ConsoleWrite("Function _AD_Open encountered a problem. @error = " & @error & ", @extended = " & @extended & @CRLF)
MsgBox(0, "Error with AD Open", "Function _AD_Open encountered a problem. @error = " & @error & ", @extended = " & @extended)
Exit
EndIf
;
Global $iniPasetGroup = IniRead($iniPath, @LogonDomain, "Paset", False)
;
If $iniPasetGroup = "False" And _AD_IsMemberOf("Domain Admins", @UserName, True) <> 1 Then
_FileWriteLog($iniLog, @UserName & " attempted to run the Paset utility.")
MsgBox(0, "Error", "Domain not authorized or INI file read error.")
_AD_Close()
Exit
EndIf
;
Global $iniPass = IniRead($iniPath, @LogonDomain, "DePass", False)
If $iniPass = "False" Or "" Then $iniPass = "Welcome.1"
Global $iniLog = IniRead($iniPath, @LogonDomain, "DestPath", False)
If $iniLog = "False" Then
ConsoleWrite("Can't read DestPath from INI!" & @CRLF)
Else
$iniLog = $iniLog & "\Paset.log"
EndIf
;
#endregion ----------------------------------Variables and Prep
;-----------------------------------------
#region ----------------------------------Building the GUI -Live
;
$gcPaset = GUICreate("Password Reset Utility", 280, 480, -1, -1)
GUISetIcon("C:\Users\admin\Downloads\Sugar\CompInfo\Control-Panel.ico", -1, $gcPaset)
;
$glUsers = GUICtrlCreateList("", 10, 10, 260, 270)
GUICtrlCreateLabel("Please enter a username to search for.", 15, 290, 250, 20, $SS_CENTER)
;
$giUsername = GUICtrlCreateInput("*", 10, 330, 200, 25)
;
$gbSearch = GUICtrlCreateButton("Search", 220, 330, 50, 25)
;
$glError = GUICtrlCreateLabel("Passwords are reset to: " & $iniPass, 40, 370, 200, 50, $SS_CENTER)
GUICtrlSetColor(-1, 0x0000FF)
;
$gbClose = GUICtrlCreateButton("Close", 10, 440, 100, 25)
;
$gbReset = GUICtrlCreateButton("Reset Password", 130, 430, 140, 40)
GUICtrlSetFont(-1, 10, 600)
;
GUISetState(@SW_SHOW, $gcPaset)
;
#endregion ----------------------------------Building the GUI -Live
;-----------------------------------------
#region ----------------------------------Live Code
;
While 1
If _IsPressed("0D") = 1 Then List_Users()
$Msg = GUIGetMsg()
Switch $Msg
Case $gbSearch
List_Users()
Case $gbReset
ResetPass()
Case $GUI_EVENT_CLOSE, $gbClose
_Exit()
EndSwitch
WEnd
;
#endregion ----------------------------------Live Code
;-----------------------------------------
#region ----------------------------------Functions
;
Func ResetPass()
;~ GUICtrlSetData($glError, "")
$sTarget = GUICtrlRead($glUsers)
If $sTarget = "" Then
GUICtrlSetData($glError, "Please select a user first.")
Return
EndIf
ConsoleWrite($sTarget & @CRLF)

If _AD_IsObjectLocked($sTarget) = 1 Then _AD_UnlockObject($sTarget)
_AD_SetPassword($sTarget, $iniPass, 1)
If @error Then
MsgBox(0, "Uh Oh!", "Sorry, either you do not have permission to reset that user's password or an unknown error occurred.")
_FileWriteLog($iniLog, @UserName & " failed to reset " & $sTarget & "'s password.")
Else
GUICtrlSetData($glError, $sTarget & "'s password was reset to " & $iniPass)
_FileWriteLog($iniLog, @UserName & " reset " & $sTarget & "'s password.")
EndIf
EndFunc ;==>ResetPass
;
Func List_Users()
GUICtrlSetData($glUsers, "")
If GUICtrlRead($glError) <> "Passwords are reset to: " & $iniPass Then GUICtrlSetData($glError, "Passwords are reset to: " & $iniPass)
Local $sUser = GUICtrlRead($giUsername)
;~ ConsoleWrite($sUser & @CRLF)
;InputBox("Test", "User account(s) to search for." & @CRLF & "Wildcards are allowed.", "*", "", 300, 150, Default, Default, Default)
If $sUser <> "*" Then $sUser = "*" & $sUser & "*"
;~ If @error = 1 Then Return
Local $aUser = _AD_GetObjectsInOU("", "(&(objectcategory=person)(Samaccountname=" & $sUser & "))", 2, "samaccountname, description")
If @error = 3 Then
GUICtrlSetData($glError, "No Users Found!")
;~ MsgBox(16, "Test", "No user accounts found using the specified search pattern!")
Else

;~ _ArrayDisplay($aUser, "List of user accounts", -1, 0, "", "|", "|SamAccountName|Description")
For $i = 1 To $aUser[0][0]
GUICtrlSetData($glUsers, $aUser[$i][0])
Next
EndIf
Return 1

EndFunc ;==>List_Users
;
Func _Exit()
GUIDelete($gcPaset)
_AD_Close()
Exit
EndFunc ;==>_Exit
;
#endregion ----------------------------------Functions

paset.au3

Clients.txt

Share this post


Link to post
Share on other sites



Script looks good at first glance!

I would suggest to replace all "ConsoleWrite" with "MsgBox" so you can compile the script and distribute it to the users without the need for a full AutoIt install.


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2016-08-18 - Version 1.4.6.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (2016-05-09 - Version 1.2.0.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
Tutorials:
ADO - Wiki

 

Share this post


Link to post
Share on other sites

I'm open to constructive criticism, especially if anyone know another way for having the input field recognize that the enter key was pressed.

Input knows by default if enter was pressed.

#include <guiconstantsex.au3>

GUICreate("gui")

$Input = GUICtrlCreateInput("",10,10)

GUISetState()

Do
    $msg = GUIGetMsg()
    If $msg = $Input Then
        MsgBox(0,"Input",GUICtrlRead($Input))
    EndIf
Until $msg = $GUI_EVENT_CLOSE

just add text and hit enter.


AutoIt Absolute Beginners    Require a serial    Pause Script    Video Tutorials by Morthawt

Monkey's are, like, natures humans.

Share this post


Link to post
Share on other sites

Input knows by default if enter was pressed.

Ah! That's perfect, thank you!

I would suggest to replace all "ConsoleWrite" with "MsgBox" so you can compile the script and distribute it to the users without the need for a full AutoIt install.

Most of those ConsoleWrites are there from testing, just to confirm that it is pulling the right value and such. I have a label that updates with some functions for the user to see the errors.

Share this post


Link to post
Share on other sites

A log file would be more appropriate in that case.


_AdapterConnections()_AlwaysRun()_AppMon()_AppMonEx()_BinaryBin()_CheckMsgBox()_CmdLineRaw()_ContextMenu()_ConvertLHWebColor()/_ConvertSHWebColor()_DesktopDimensions()_DisplayPassword()_DotNet_Load()/_DotNet_Unload()_Fibonacci()_FileCompare()_FileCompareContents()_FileNameByHandle()_FilePrefix/SRE()_FindInFile()_GetBackgroundColor()/_SetBackgroundColor()_GetConrolID()_GetCtrlClass()_GetDirectoryFormat()_GetDriveMediaType()_GetFilename()/_GetFilenameExt()_GetHardwareID()_GetIP()_GetIP_Country()_GetOSLanguage()_GetSavedSource()_GetStringSize()_GetSystemPaths()_GetURLImage()_GIFImage()_GoogleWeather()_GUICtrlCreateGroup()_GUICtrlListBox_CreateArray()_GUICtrlListView_CreateArray()_GUICtrlListView_SaveCSV()_GUICtrlListView_SaveHTML()_GUICtrlListView_SaveTxt()_GUICtrlListView_SaveXML()_GUICtrlMenu_Recent()_GUICtrlMenu_SetItemImage()_GUICtrlTreeView_CreateArray()_GUIDisable()_GUIImageList_SetIconFromHandle()_GUIRegisterMsg()_GUISetIcon()_Icon_Clear()/_Icon_Set()_IdleTime()_InetGet()_InetGetGUI()_InetGetProgress()_IPDetails()_IsFileOlder()_IsGUID()_IsHex()_IsPalindrome()_IsRegKey()_IsStringRegExp()_IsSystemDrive()_IsUPX()_IsValidType()_IsWebColor()_Language()_Log()_MicrosoftInternetConnectivity()_MSDNDataType()_PathFull/GetRelative/Split()_PathSplitEx()_PrintFromArray()_ProgressSetMarquee()_ReDim()_RockPaperScissors()/_RockPaperScissorsLizardSpock()_ScrollingCredits_SelfDelete()_SelfRename()_SelfUpdate()_SendTo()_ShellAll()_ShellFile()_ShellFolder()_SingletonHWID()_SingletonPID()_Startup()_StringCompact()_StringIsValid()_StringRegExpMetaCharacters()_StringReplaceWholeWord()_StringStripChars()_Temperature()_TrialPeriod()_UKToUSDate()/_USToUKDate()_WinAPI_Create_CTL_CODE()_WinAPI_CreateGUID()_WMIDateStringToDate()/_DateToWMIDateString()Au3 script parsingAutoIt SearchAutoIt3 PortableAutoIt3WrapperToPragmaAutoItWinGetTitle()/AutoItWinSetTitle()CodingDirToHTML5FileInstallrFileReadLastChars()GeoIP databaseGUI - Only Close ButtonGUI ExamplesGUICtrlDeleteImage()GUICtrlGetBkColor()GUICtrlGetStyle()GUIEventsGUIGetBkColor()Int_Parse() & Int_TryParse()IsISBN()LockFile()Mapping CtrlIDsOOP in AutoItParseHeadersToSciTE()PasswordValidPasteBinPosts Per DayPreExpandProtect GlobalsQueue()Resource UpdateResourcesExSciTE JumpSettings INISHELLHOOKShunting-YardSignature CreatorStack()Stopwatch()StringAddLF()/StringStripLF()StringEOLToCRLF()VSCROLLWM_COPYDATAMore Examples...

Updated: 04/09/2015

Share this post


Link to post
Share on other sites

The schools I work with have their AD setup for student accounts grouped under "Students" then divided by graduation year. I use Waters function _AD_GetOUTreeView along with his wonderful AD UDF to create a treeview. There the user (i.e. Secretarys) can select the user (not shown for privicy) and change the password or disable/enable accounts.

Posted Image

Share this post


Link to post
Share on other sites

Great use of the _AD_GetOUTreeView example script!


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2016-08-18 - Version 1.4.6.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (2016-05-09 - Version 1.2.0.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
Tutorials:
ADO - Wiki

 

Share this post


Link to post
Share on other sites

The schools I work with have their AD setup for student accounts grouped under "Students" then divided by graduation year. I use Waters function _AD_GetOUTreeView along with his wonderful AD UDF to create a treeview. There the user (i.e. Secretarys) can select the user (not shown for privicy) and change the password or disable/enable accounts.

That looks fantastic. So far this little charter school doesn't have any student accounts from before this year, so we haven't had a need to sort them that way or provide a enable/disable button.

Plus, only about 5 of our clients are schools, and I wanted this to be universal.

But other than that and the fact that I can't be bothered to show only certain OUs for each domain based on that user's access to them, I kept it simple and redeployable.

Share this post


Link to post
Share on other sites

Together with chaoticyeshua we sorted out a problem with that now allows to query permissions for an OU. Now it is possible to display just those OUs a user has certain permissions on in _AD_GetOUTreeView.

Disadvantage: It slows down the script considerably.


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2016-08-18 - Version 1.4.6.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (2016-05-09 - Version 1.2.0.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
Tutorials:
ADO - Wiki

 

Share this post


Link to post
Share on other sites

That looks fantastic. So far this little charter school doesn't have any student accounts from before this year, so we haven't had a need to sort them that way or provide a enable/disable button.

Plus, only about 5 of our clients are schools, and I wanted this to be universal.

But other than that and the fact that I can't be bothered to show only certain OUs for each domain based on that user's access to them, I kept it simple and redeployable.

It's being used at a few K-12 schools with enrollment in the 1400 - 2000 range. The UDF grabs the user list suprisingly quick, 4 - 9 seconds for about 1750 students.

The enable/disable was a request from one district, don't think it's used much.

It's written so the treeview can start anywhere, even at the root. Even though the district use pretty much the same structure their trees are all different as to how they finally get to "Students". At one time I tried starting at the root and only allowing access to the the branches a user had rights to but two problems appeared, too complicated and perhaps worst, default system users and groups showing up that I couldn't figure out how to filter out........hint...hint...hint....Water <GRIN>

Share this post


Link to post
Share on other sites

If you set parameter $bAD_Display = True you can pass a complete LDAP query as parameter $sAD_Category. So a query that excludes the system users/groups is needed.

Will ask Google ...


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2016-08-18 - Version 1.4.6.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (2016-05-09 - Version 1.2.0.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
Tutorials:
ADO - Wiki

 

Share this post


Link to post
Share on other sites

If you set $sAD_Category to "(&(objectCategory=person)(objectClass=user))" do you still get system users?


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2016-08-18 - Version 1.4.6.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (2016-05-09 - Version 1.2.0.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
Tutorials:
ADO - Wiki

 

Share this post


Link to post
Share on other sites

If you set $sAD_Category to "(&(objectCategory=person)(objectClass=user))" do you still get system users?

Sweet!! No system users......works perfect.

Share this post


Link to post
Share on other sites

I'm not at my windows PC at the moment. Do you have an example of a system group you want to filter?


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2016-08-18 - Version 1.4.6.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (2016-05-09 - Version 1.2.0.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
Tutorials:
ADO - Wiki

 

Share this post


Link to post
Share on other sites

#15 ·  Posted (edited)

I'm remoting into work from home, but the test I did using your suggested filter above does just what I need. No system groups/users showing. Thanks.

EDIT: My apologies to blckpythn for hijacking his post.

Edited by lewisg

Share this post


Link to post
Share on other sites

EDIT: My apologies to blckpythn for hijacking his post.

No worries, I think I'll use that as well!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Similar Content

    • faldo
      Remmanaut
      By faldo
      Remmanaut, the autoit RMM tool.
    • water
      ADAT - Active Directory Administration Tool
      By water
      ADAT is a tool to simplify common AD administration tasks. Every administration task has its own tab. It is easy to add new functions (tabs) to the tool. Some often used functions are already available: list users, computers, OUs. File ADAT.ini can be customized to hold the AD logon information if necessary.
    • Kevin Finnegan
      Get Domain User's full name locally despite being removed from AD?
      By Kevin Finnegan
      Hi all,
      I'm currently writing a backup script to automate the process of storing and compressing data for any member leaving the firm I work at. Ideally I would like to pull the user's display name or full name, for instance, a WMI query selecting FullName WHERE Win32_NetworkLoginProfile Name equals "Domain\kefinnegan" would bring back "Kevin Finnegan" or whatever naming convention your company uses.
      Although this solution seems ideal as long as you log in as a user with privileged access, it won't work if the domain user you wish to backup has been purged from the Active Directory system entirely as the WMIService seems to query it in some shape or form (thousands of members in our firm, need to trim the fat every now and then). I was wondering if it's possible to query an API, service or possibly even scan registry entries stored on the leaver's machine while logged in as the local administrator (can run the script with privileged domain credentials if needs be) that could give me a domain user's full name, who logged onto this machine, without the use of Active Directory?
    • rickybobby
      Get active computers in active domain
      By rickybobby
      I'm Trying to get all computers returned in the active domain that have been active within the last 90 days, I'm currently stuck at just getting the full list of computers in the domain. I'm using the ADfunctions UDF.   Here's my code:     #include "XXX/ADfunctions.au3" _GetADComputers() Func _GetADComputers() Local $aComputers $sOU = $strDNSDomain _ADGetObjectsInOU($aComputers,$sOU,"(objectclass=computer)",2,"name") _ArrayDisplay($aComputers) Return($aComputers) EndFunc     Any help is greatly appreciated!
    • pcjunki
      join domain
      By pcjunki
      here is my example "simple" script to have a pc join the domain
      with the domain of "starwars", then you just type in the pc name you want.
      tweak to your liking,



      ShellExecute("sysdm.cpl") sleep(1000) ControlClick ( "System Properties", "", "[CLASS:Button; INSTANCE:2]" , "left" , 1 ) sleep(1000) ControlClick ( "Computer Name/Domain Changes", "", "[CLASS:Button; INSTANCE:3]" , "left" , 1 ) sleep(1000) Send("{TAB}starwars{SHIFTDOWN}{TAB}{TAB}{TAB}{SHIFTUP}")