Sign in to follow this  
Followers 0

Password Reset utility for non-admins.


16 posts in this topic

#1 ·  Posted

I help manage several networks, and get a lot of password reset request for students and such.

So instead of making some of the staff admins, I found a creative way of giving them the ability to reset passwords.

This is obviously for Active Directory domains only, and requires the AD.au3 UDF.

They must be part of the group listed in the ini(if you use my method), and the group must have the delegate permission for setting a user's password in AD.

Search for Delegate Control of an OU.

Also, if you log to a server share like I did, make sure both share and NTFS permissions are opened up.

Only tested on Server 2003, 2008, and Win 7

I'm open to constructive criticism, especially if anyone know another way for having the input field recognize that the enter key was pressed.

If you download the txt, change it to an .ini file, it wouldn't let me upload an ini...

#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_Icon=..\CompInfo\Control-Panel.ico
#AutoIt3Wrapper_Add_Constants=n
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
#comments-start --INFO
;
; User's must have permission and be part of the group listed in the Clients.ini under Paset.
;
#comments-end ----INFO
;
#include
#include
#include
#include
#include
#include
;
#region ----------------------------------Variables and Prep
;
Global $iniPath = @ScriptDir & "\Clients.ini"
Global $sLogMsg
;
Global $iniLog = IniRead($iniPath, @LogonDomain, "DestPath", False)
If $iniLog = "False" Then
ConsoleWrite("Can't read DestPath from INI!" & @CRLF)
Else
$iniLog = $iniLog & "\Paset.log"
EndIf
;
_AD_Open()
If @error Then
ConsoleWrite("Function _AD_Open encountered a problem. @error = " & @error & ", @extended = " & @extended & @CRLF)
MsgBox(0, "Error with AD Open", "Function _AD_Open encountered a problem. @error = " & @error & ", @extended = " & @extended)
Exit
EndIf
;
Global $iniPasetGroup = IniRead($iniPath, @LogonDomain, "Paset", False)
;
If $iniPasetGroup = "False" And _AD_IsMemberOf("Domain Admins", @UserName, True) <> 1 Then
_FileWriteLog($iniLog, @UserName & " attempted to run the Paset utility.")
MsgBox(0, "Error", "Domain not authorized or INI file read error.")
_AD_Close()
Exit
EndIf
;
Global $iniPass = IniRead($iniPath, @LogonDomain, "DePass", False)
If $iniPass = "False" Or "" Then $iniPass = "Welcome.1"
Global $iniLog = IniRead($iniPath, @LogonDomain, "DestPath", False)
If $iniLog = "False" Then
ConsoleWrite("Can't read DestPath from INI!" & @CRLF)
Else
$iniLog = $iniLog & "\Paset.log"
EndIf
;
#endregion ----------------------------------Variables and Prep
;-----------------------------------------
#region ----------------------------------Building the GUI -Live
;
$gcPaset = GUICreate("Password Reset Utility", 280, 480, -1, -1)
GUISetIcon("C:\Users\admin\Downloads\Sugar\CompInfo\Control-Panel.ico", -1, $gcPaset)
;
$glUsers = GUICtrlCreateList("", 10, 10, 260, 270)
GUICtrlCreateLabel("Please enter a username to search for.", 15, 290, 250, 20, $SS_CENTER)
;
$giUsername = GUICtrlCreateInput("*", 10, 330, 200, 25)
;
$gbSearch = GUICtrlCreateButton("Search", 220, 330, 50, 25)
;
$glError = GUICtrlCreateLabel("Passwords are reset to: " & $iniPass, 40, 370, 200, 50, $SS_CENTER)
GUICtrlSetColor(-1, 0x0000FF)
;
$gbClose = GUICtrlCreateButton("Close", 10, 440, 100, 25)
;
$gbReset = GUICtrlCreateButton("Reset Password", 130, 430, 140, 40)
GUICtrlSetFont(-1, 10, 600)
;
GUISetState(@SW_SHOW, $gcPaset)
;
#endregion ----------------------------------Building the GUI -Live
;-----------------------------------------
#region ----------------------------------Live Code
;
While 1
If _IsPressed("0D") = 1 Then List_Users()
$Msg = GUIGetMsg()
Switch $Msg
Case $gbSearch
List_Users()
Case $gbReset
ResetPass()
Case $GUI_EVENT_CLOSE, $gbClose
_Exit()
EndSwitch
WEnd
;
#endregion ----------------------------------Live Code
;-----------------------------------------
#region ----------------------------------Functions
;
Func ResetPass()
;~ GUICtrlSetData($glError, "")
$sTarget = GUICtrlRead($glUsers)
If $sTarget = "" Then
GUICtrlSetData($glError, "Please select a user first.")
Return
EndIf
ConsoleWrite($sTarget & @CRLF)

If _AD_IsObjectLocked($sTarget) = 1 Then _AD_UnlockObject($sTarget)
_AD_SetPassword($sTarget, $iniPass, 1)
If @error Then
MsgBox(0, "Uh Oh!", "Sorry, either you do not have permission to reset that user's password or an unknown error occurred.")
_FileWriteLog($iniLog, @UserName & " failed to reset " & $sTarget & "'s password.")
Else
GUICtrlSetData($glError, $sTarget & "'s password was reset to " & $iniPass)
_FileWriteLog($iniLog, @UserName & " reset " & $sTarget & "'s password.")
EndIf
EndFunc ;==>ResetPass
;
Func List_Users()
GUICtrlSetData($glUsers, "")
If GUICtrlRead($glError) <> "Passwords are reset to: " & $iniPass Then GUICtrlSetData($glError, "Passwords are reset to: " & $iniPass)
Local $sUser = GUICtrlRead($giUsername)
;~ ConsoleWrite($sUser & @CRLF)
;InputBox("Test", "User account(s) to search for." & @CRLF & "Wildcards are allowed.", "*", "", 300, 150, Default, Default, Default)
If $sUser <> "*" Then $sUser = "*" & $sUser & "*"
;~ If @error = 1 Then Return
Local $aUser = _AD_GetObjectsInOU("", "(&(objectcategory=person)(Samaccountname=" & $sUser & "))", 2, "samaccountname, description")
If @error = 3 Then
GUICtrlSetData($glError, "No Users Found!")
;~ MsgBox(16, "Test", "No user accounts found using the specified search pattern!")
Else

;~ _ArrayDisplay($aUser, "List of user accounts", -1, 0, "", "|", "|SamAccountName|Description")
For $i = 1 To $aUser[0][0]
GUICtrlSetData($glUsers, $aUser[$i][0])
Next
EndIf
Return 1

EndFunc ;==>List_Users
;
Func _Exit()
GUIDelete($gcPaset)
_AD_Close()
Exit
EndFunc ;==>_Exit
;
#endregion ----------------------------------Functions

paset.au3

Clients.txt

Share this post


Link to post
Share on other sites



#2 ·  Posted

Script looks good at first glance!

I would suggest to replace all "ConsoleWrite" with "MsgBox" so you can compile the script and distribute it to the users without the need for a full AutoIt install.


My UDFs and Tutorials:

UDFs:
Active Directory (2014-07-21 - Version 1.4.1.1) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (2014-07-27 - Version 1.0.0.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (NEW 2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
Tutorials:
ADO - Wiki

Share this post


Link to post
Share on other sites

#3 ·  Posted

I'm open to constructive criticism, especially if anyone know another way for having the input field recognize that the enter key was pressed.

Input knows by default if enter was pressed.

#include <guiconstantsex.au3>

GUICreate("gui")

$Input = GUICtrlCreateInput("",10,10)

GUISetState()

Do
    $msg = GUIGetMsg()
    If $msg = $Input Then
        MsgBox(0,"Input",GUICtrlRead($Input))
    EndIf
Until $msg = $GUI_EVENT_CLOSE

just add text and hit enter.


AutoIt Absolute Beginners    Require a serial    Pause Script    Video Tutorials by Morthawt

Monkey's are, like, natures humans.

Share this post


Link to post
Share on other sites

#4 ·  Posted

Input knows by default if enter was pressed.

Ah! That's perfect, thank you!

I would suggest to replace all "ConsoleWrite" with "MsgBox" so you can compile the script and distribute it to the users without the need for a full AutoIt install.

Most of those ConsoleWrites are there from testing, just to confirm that it is pulling the right value and such. I have a label that updates with some functions for the user to see the errors.

Share this post


Link to post
Share on other sites

#5 ·  Posted

A log file would be more appropriate in that case.


UDF List:

 

_AdapterConnections()_AlwaysRun()_AppMon()_AppMonEx()_BinaryBin()_CheckMsgBox()_CmdLineRaw()_ContextMenu()_ConvertLHWebColor()/_ConvertSHWebColor()_DesktopDimensions()_DisplayPassword()_DotNet_Load()/_DotNet_Unload()_Fibonacci()_FileCompare()_FileCompareContents()_FileNameByHandle()_FilePrefix/SRE()_FindInFile()_GetBackgroundColor()/_SetBackgroundColor()_GetConrolID()_GetCtrlClass()_GetDirectoryFormat()_GetDriveMediaType()_GetFilename()/_GetFilenameExt()_GetHardwareID()_GetIP()_GetIP_Country()_GetOSLanguage()_GetSavedSource()_GetStringSize()_GetSystemPaths()_GetURLImage()_GIFImage()_GoogleWeather()_GUICtrlCreateGroup()_GUICtrlListBox_CreateArray()_GUICtrlListView_CreateArray()_GUICtrlListView_SaveCSV()_GUICtrlListView_SaveHTML()_GUICtrlListView_SaveTxt()_GUICtrlListView_SaveXML()_GUICtrlMenu_Recent()_GUICtrlMenu_SetItemImage()_GUICtrlTreeView_CreateArray()_GUIDisable()_GUIImageList_SetIconFromHandle()_GUIRegisterMsg()_GUISetIcon()_Icon_Clear()/_Icon_Set()_IdleTime()_InetGet()_InetGetGUI()_InetGetProgress()_IPDetails()_IsFileOlder()_IsGUID()_IsHex()_IsPalindrome()_IsRegKey()_IsStringRegExp()_IsSystemDrive()_IsUPX()_IsValidType()_IsWebColor()_Language()_Log()_MicrosoftInternetConnectivity()_MSDNDataType()_PathFull/GetRelative/Split()_PathSplitEx()_PrintFromArray()_ProgressSetMarquee()_ReDim()_RockPaperScissors()/_RockPaperScissorsLizardSpock()_ScrollingCredits_SelfDelete()_SelfRename()_SelfUpdate()_SendTo()_ShellAll()_ShellFile()_ShellFolder()_SingletonHWID()_SingletonPID()_Startup()_StringCompact()_StringIsValid()_StringRegExpMetaCharacters()_StringReplaceWholeWord()_StringStripChars()_Temperature()_TrialPeriod()_UKToUSDate()/_USToUKDate()_WinAPI_Create_CTL_CODE()_WinAPI_CreateGUID()_WMIDateStringToDate()/_DateToWMIDateString()Au3 script parsingAutoIt SearchAutoIt3 PortableAutoIt3WrapperToPragmaAutoItWinGetTitle()/AutoItWinSetTitle()CodingDirToHTML5FileInstallrFileReadLastChars()GeoIP databaseGUI - Only Close ButtonGUI ExamplesGUICtrlDeleteImage()GUICtrlGetBkColor()GUICtrlGetStyle()GUIEventsGUIGetBkColor()Int_Parse() & Int_TryParse()IsISBN()LockFile()Mapping CtrlIDsParseHeadersToSciTE()PasswordValidPasteBinPosts Per DayPreExpandQueue()Resource UpdateResourcesExSciTE JumpSettings INISHELLHOOKShunting-YardSignature CreatorStack()Stopwatch()StringAddLF()/StringStripLF()StringEOLToCRLF()VSCROLLWM_COPYDATAMore Examples...

 

 

Updated: 02/04/2015

Share this post


Link to post
Share on other sites

#6 ·  Posted

The schools I work with have their AD setup for student accounts grouped under "Students" then divided by graduation year. I use Waters function _AD_GetOUTreeView along with his wonderful AD UDF to create a treeview. There the user (i.e. Secretarys) can select the user (not shown for privicy) and change the password or disable/enable accounts.

Posted Image

Share this post


Link to post
Share on other sites

#7 ·  Posted

Great use of the _AD_GetOUTreeView example script!


My UDFs and Tutorials:

UDFs:
Active Directory (2014-07-21 - Version 1.4.1.1) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (2014-07-27 - Version 1.0.0.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (NEW 2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
Tutorials:
ADO - Wiki

Share this post


Link to post
Share on other sites

#8 ·  Posted

The schools I work with have their AD setup for student accounts grouped under "Students" then divided by graduation year. I use Waters function _AD_GetOUTreeView along with his wonderful AD UDF to create a treeview. There the user (i.e. Secretarys) can select the user (not shown for privicy) and change the password or disable/enable accounts.

That looks fantastic. So far this little charter school doesn't have any student accounts from before this year, so we haven't had a need to sort them that way or provide a enable/disable button.

Plus, only about 5 of our clients are schools, and I wanted this to be universal.

But other than that and the fact that I can't be bothered to show only certain OUs for each domain based on that user's access to them, I kept it simple and redeployable.

Share this post


Link to post
Share on other sites

#9 ·  Posted

Together with chaoticyeshua we sorted out a problem with that now allows to query permissions for an OU. Now it is possible to display just those OUs a user has certain permissions on in _AD_GetOUTreeView.

Disadvantage: It slows down the script considerably.


My UDFs and Tutorials:

UDFs:
Active Directory (2014-07-21 - Version 1.4.1.1) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (2014-07-27 - Version 1.0.0.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (NEW 2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
Tutorials:
ADO - Wiki

Share this post


Link to post
Share on other sites

#10 ·  Posted

That looks fantastic. So far this little charter school doesn't have any student accounts from before this year, so we haven't had a need to sort them that way or provide a enable/disable button.

Plus, only about 5 of our clients are schools, and I wanted this to be universal.

But other than that and the fact that I can't be bothered to show only certain OUs for each domain based on that user's access to them, I kept it simple and redeployable.

It's being used at a few K-12 schools with enrollment in the 1400 - 2000 range. The UDF grabs the user list suprisingly quick, 4 - 9 seconds for about 1750 students.

The enable/disable was a request from one district, don't think it's used much.

It's written so the treeview can start anywhere, even at the root. Even though the district use pretty much the same structure their trees are all different as to how they finally get to "Students". At one time I tried starting at the root and only allowing access to the the branches a user had rights to but two problems appeared, too complicated and perhaps worst, default system users and groups showing up that I couldn't figure out how to filter out........hint...hint...hint....Water <GRIN>

Share this post


Link to post
Share on other sites

#11 ·  Posted

If you set parameter $bAD_Display = True you can pass a complete LDAP query as parameter $sAD_Category. So a query that excludes the system users/groups is needed.

Will ask Google ...


My UDFs and Tutorials:

UDFs:
Active Directory (2014-07-21 - Version 1.4.1.1) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (2014-07-27 - Version 1.0.0.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (NEW 2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
Tutorials:
ADO - Wiki

Share this post


Link to post
Share on other sites

#12 ·  Posted

If you set $sAD_Category to "(&(objectCategory=person)(objectClass=user))" do you still get system users?


My UDFs and Tutorials:

UDFs:
Active Directory (2014-07-21 - Version 1.4.1.1) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (2014-07-27 - Version 1.0.0.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (NEW 2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
Tutorials:
ADO - Wiki

Share this post


Link to post
Share on other sites

#13 ·  Posted

If you set $sAD_Category to "(&(objectCategory=person)(objectClass=user))" do you still get system users?

Sweet!! No system users......works perfect.

Share this post


Link to post
Share on other sites

#14 ·  Posted

I'm not at my windows PC at the moment. Do you have an example of a system group you want to filter?


My UDFs and Tutorials:

UDFs:
Active Directory (2014-07-21 - Version 1.4.1.1) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (2014-07-27 - Version 1.0.0.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (NEW 2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
Tutorials:
ADO - Wiki

Share this post


Link to post
Share on other sites

#15 ·  Posted (edited)

I'm remoting into work from home, but the test I did using your suggested filter above does just what I need. No system groups/users showing. Thanks.

EDIT: My apologies to blckpythn for hijacking his post.

Edited by lewisg

Share this post


Link to post
Share on other sites

#16 ·  Posted

EDIT: My apologies to blckpythn for hijacking his post.

No worries, I think I'll use that as well!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0