Jump to content
Sign in to follow this  
flyingboz

non-admin users change own active directory password

Recommended Posts

flyingboz

I'm looking at a situation where a client has an application deployed via RemoteApp, no full RDP desktop or web interface available.  As the RemoteApp is published on a network share, it is invoked via a batch file, launched via a published .rdp file.

I've run into an issue with being able to allow users to change their own passwords.  I don't want to have to deal with changing users passwords, or knowing what they are; if I expire or require a password change, the users are simply locked out, there is no opportunity for them to change their password themselves.

Ideally, I'd like to write or find a command line utility I could insert into the batch file that launches the remote app to address this deficiency.

I've poked around in the ActiveDirectory UDF, which seems to be a great tool, but without a function written for the use case where the password change is desired to be forced upon the current user ( who is NOT an admin).  

Note:  net user / domain requires admin rights.  
           pspasswd, while awesome, also requires admin rights.

Does anyone have a UDF or Function utility that they use to allow a user to change their own domain password from the command line?

I've seen a couple of powershell examples, but I'd love to be able to compile or drop in a command line oriented  passwd.exe utility that would work similarly to the *nix equivalent.  

The pspasswd sysinternals utility does not seem to  have this use case in mind -- in my tests you have to be an admin to change a password.

Edited by flyingboz

Reading the help file before you post... Not only will it make you look smarter, it will make you smarter.

Share this post


Link to post
Share on other sites
JLogan3o13

I've worked with a number of third party applications that allow single sign on as well as self-unlock and self-password reset for non-admin users. In all cases, the application uses a service account that has the rights to perform the action.

While this works, it is not ideal in AutoIt. In essence you would be doing a RunAs, and embedding credentials into a script that could be opened with minimal effort.


√-1 2^3 ∑ π, and it was delicious!

Share this post


Link to post
Share on other sites
flyingboz

Thanks for the reply / insight.  I'm not interested particularly in anything more than a command line interface to allow the user to change their own password.  While single-sign on has its uses, its not really germane to the core topic.

If I give users full remote desktop access they have the permissions to change their password via the GUI.  At its most basic, there should be a command line equivalent that asks the user to enter their old password, then their new one w/ confirmation.  Conceptually, there shouldn't need to be any additional proof that the user is who they say they are, they've already been authenticated, and the remoteapp started.

I don't think I should need a service or other 'trickery' involved, because I have access to the user environment  -- I am setting the user default printer in the batch script that runs each time they initiate the remoteapp.


Reading the help file before you post... Not only will it make you look smarter, it will make you smarter.

Share this post


Link to post
Share on other sites
zalomalo

While this works, it is not ideal in AutoIt. In essence you would be doing a RunAs, and embedding credentials into a script that could be opened with minimal effort.

 

Time ago, searching in Google for RunAs, in order to find some way to hide a pasword from usual users executing Admin tasks, is when i found and started to use Autoit.

 Now, i have several big projects growing for years, working fine and developped in AutoiT, that is better and gives me much more posibilities than i expected. :)

After fighting vs UAC for 9 months, because a migration from XP, and winning to NamedPipes this week, i am allmost happy.

Cheers. :shifty:


My english shucks, i know it.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Similar Content

    • Gowrisankar
      By Gowrisankar
      Dear members of the forum,
      I need to open excel files that may or may not need a password and finally move the files that needs password to manual queue.
      Is there a fastest way to do this?
       
      PS: I have a huge respect for the rules of this forum. I am not asking assistance to override any security measure. I just need to segregate the files that needs passwords.
    • rudi
      By rudi
      Hello,
       
      from this posting of @Jos https://www.autoitscript.com/forum/topic/162005-getting-windows-users-account-type/?do=findComment&comment=1176831
      I can smoothly check, if a user is a *DIRECT* group member. Has anybody some code to check also, if a user is a *INDIRECT* member of a cascaded group construct?  Maybe with @Melba23 's AD UDF?
       
      The required rights are granted to group "Dept_B" User John is member of group "Dept_A" Group "Dept_A" is member of the group "Dept_B" So in the AD / NTFS FS environment John finally has the rights of both groups But when checking his "membership to group Dept_B" the result is "no member". The approach I can think of would be, to check all Group Members of group "Dept_B" whether they are of type group, then check again if "John" is member of than " 2nd level group"
      Func UserInGroup($InGroup,$ThisUser=@LogonDomain & "/" & @UserName) Local $objUser = ObjGet("WinNT://" & $ThisUser ) For $oGroup in $objUser.Groups If $oGroup.Name = $InGroup Then Return 1 EndIf Next Return 0 EndFunc Any suggestions appreciated, regards, Rudi.
    • t0nZ
      By t0nZ
      Today I want to share this little project made to check and  notify the expiration of domain users password, in a Microsoft domain.
      Briefly, the script check users domain password expiration and takes actions.
      The script can work on multiple domain groups, taking different actions for every group, there is an .ini file with some options.
      Groups to be checked are defined in the .ini, and the groups must contain only users no other groups.
      The list of users of every group is obtained and if the password expiration in (remaining) days is matched (two possibilities) an email is sent.
      It can be a mail sent directly to the user (ini file : tomail=user) or it can be a mail sent to only one address (ini file : tomail=the@mail.it) (like domain admins...) and in this case the mail contains a report with the users approaching expiration.
      An operation log is always generated.
      In the ini (also the posted one) you can set to have no mail sent (for testing) and/or to have a GUI, but also the GUI is intended only for test, this script is scheduled on a server not logged in, so normally no GUI .
      Update 2018/03/16 : added switch to reset the password expiration, useful if you have for example an user (or 500) with psw expiration withing 3 days and you want to restore expiration within 90 days WITHOUT changing password.
      Used the way as advised by Microsoft  (see the link), but with sth AD.au3 , the fantastic Active Directory UDF
      # First change the pwdlastset to 0 because Microsoft wants it this way $todouser.pwdLastSet = 0 Set-ADUser -Instance $todouser # Change the pwdlastset to the current date/time of the associate DC $todouser.pwdLastSet = -1 Set-ADUser -Instance $todouser Why you should act this way ? Big companies have strange policies listen to me ...
      The code:
      #Region ;**** Directives created by AutoIt3Wrapper_GUI **** #AutoIt3Wrapper_Icon=Icone\Faenza\117.ico #EndRegion ;**** Directives created by AutoIt3Wrapper_GUI **** ; PEG ; Password Expiration Guardian ; (C) NSC 2018 ; check user domain password expiration and takes actions ; the script can work on multiple domain groups, taking differente actions for every group. ; the groups must contains only users no other groups ; the list of users of every group is obtained and if the password expiration in day is matched (two possibilities) an email is sent. ; It can be a mail sent directly to the user (ini file : tomail=user) ; or it can be a mail sent to only one address (ini file : tomail=the@mail.it) ; and in this case the mail contains a report with the users approaching expiration ; V.0.5 check based on one domain group ; V.1.0 ini file and check based on multiple domain groups ; V.1.5 ini file with general section to activate "test" GUI, and to enable disable mail send ; V.1.6 march 2018 italian "home made" translation of days and months in date ; V.1.7 added flag pwdLastSet to reset pass expiration - intended to use like a one time on/off switch to reset psw expiration #include <AD.au3> #include <File.au3> #include <GuiEdit.au3> #include <_zip.au3> #include <Date.au3> #include <Inet.au3> #include <GUIConstantsEx.au3> #include <GuiEdit.au3> #include <EditConstants.au3> #include <GUIConstantsEx.au3> #include <WindowsConstants.au3> #include <Debug.au3> Global $appname = "PEG", $appver = "V.1.7" Global $inifile = @ScriptDir & "\" & $appname & ".ini" Global $geleft = 5, $getop = 5, $gewidth = 790, $geheight = 540 Global $gollogcount = 0, $lastlog = "sicrlf", $cachelog = "", $guititle = "PEG " & $appver, $Gollogedit, $logfile = @ScriptDir & "\" & $appname & "_LOG_", $months2NOTzip = 3 Global $INIgroup, $INItomail, $INImailsubject, $INIsmpt, $INIfromname, $INIfromaddress, $INIdays1, $INIdays2, $INItosend, $arrayINIsections, $guiactive, $flagITA, $flagpwdLastSet ; START program GOLLOG(">>>>>> " & $appname & " " & $appver & " START >>>>>>") CFGctrl() If $guiactive = 1 Then GUI() $groupnumber = 0 While $groupnumber < $arrayINIsections[0] $groupnumber += 1 If $arrayINIsections[$groupnumber] <> "general" Then CFGload($arrayINIsections[$groupnumber]) loaduserS() EndIf WEnd If $guiactive = 1 Then While 1 $nMsg = GUIGetMsg() Switch $nMsg Case $GUI_EVENT_CLOSE GOLLOG("<<<< STOP <<<<") Exit EndSwitch WEnd EndIf GOLLOG("<<<<<< PEG STOP <<<<<<<") Exit ;STOP program Func GUI() GUICreate($guititle, 800, 560, 100, 200, -1) GUISetBkColor(0x693F54) ; will change background color $Gollogedit = GUICtrlCreateEdit("", $geleft, $getop, $gewidth, $geheight, BitOR($ES_AUTOVSCROLL, $ES_AUTOHSCROLL, $ES_WANTRETURN, $WS_BORDER, $WS_VSCROLL)) GUICtrlSetBkColor(-1, 0xC7BBC1) GUICtrlSetData(-1, "" & @CRLF) GUICtrlSetFont(-1, 9, 800, 0, "consolas") GUICtrlSetColor(-1, 0x090608) GUISetState(@SW_SHOW) GOLLOG("PEG " & $appver & " gui STARTED") EndFunc ;==>GUI Func loaduserS() GOLLOG("workin on group: " & $INIgroup) Local $Nscad = 0 Dim $report[1] = ["Report:"] Local $singlereport = "" Local $usermail = "" Local $username = "" Local $datediff = "" Local $arrayuserpsw Local $iErr _AD_Open() $search1 = _AD_GetGroupMembers($INIgroup) ;$search1 = _AD_RecursiveGetGroupMembers($INIgroup); testing recursive .. in the future maybe If @error = 0 Then Local $conta1 = 0 While $search1[0] > $conta1 $conta1 += 1 $arrayuserpsw = _AD_GetPasswordInfo($search1[$conta1]) $datediff = _DateDiff("D", _NowCalc(), $arrayuserpsw[9]) GOLLOG("USER: " & $search1[$conta1]) GOLLOG("Password expires on: " & $arrayuserpsw[9] & " in " & $datediff & " days") If $datediff = $INIdays1 Or $datediff = $INIdays2 Then GOLLOG("expiration match !") If $INItomail = "user" Then ; this IF is relative to .ini file parameter TOSEND $usermail = _AD_GetObjectAttribute($search1[$conta1], "mail") GOLLOG("sending mail to: " & $usermail) If $flagITA = 1 Then $dataITA = dataITA($arrayuserpsw[9]) Else $dataITA = _DateTimeFormat($arrayuserpsw[9], 1) EndIf Dim $report[1] = ["La tua password scadra' " & $dataITA & ", entro " & $datediff & " giorni."] _ArrayAdd($report, "Modificala per tempo !") If $INItosend = 0 Then GOLLOG("Not sent mail " & $Nscad & ": ") GOLLOG("from :" & $INIfromname & " | " & $INIfromaddress) GOLLOG("to :" & $usermail & " | subject: " & $INImailsubject) Local $reporttext = _ArrayToString($report) GOLLOG("text :" & $reporttext) Else Local $iResponse = _INetSmtpMail($INIsmpt, $INIfromname, $INIfromaddress, $usermail, $INImailsubject, $report, "EHLO " & @ComputerName, "-1") ; perla pearl mail send HS smtp (ehlo required) $iErr = @error If $iResponse = 1 Then GOLLOG("Success! " & "Mail to user sent") Else GOLLOG("Error! " & "Mail failed with error code " & $iErr) EndIf EndIf Else $username = _AD_GetObjectAttribute($search1[$conta1], "displayname") _ArrayAdd($report, "USER: " & $username) _ArrayAdd($report, "Password expires on: " & $arrayuserpsw[9] & " in " & $datediff & " days") $Nscad += 1 If $flagpwdLastSet = 1 Then ; warning : auto pass set GOLLOG("Re-set password expiration for " & $search1[$conta1]) If _AD_ModifyAttribute($search1[$conta1], "pwdLastSet", "0") Then GOLLOG("pwdLastSet to 0 - OK") Else GOLLOG("pwdLastSet to 0 - ERROR " & @error) EndIf If _AD_ModifyAttribute($search1[$conta1], "pwdLastSet", "-1") Then GOLLOG("pwdLastSet to -1 - OK") Else GOLLOG("pwdLastSet to -1 - ERROR " & @error) EndIf EndIf EndIf EndIf WEnd If $Nscad > 0 And $INItomail <> "user" Then _ArrayAdd($report, $Nscad & " user passwords near expiration") If $INItosend = 0 Then GOLLOG("Not sent mail " & $Nscad & ": ") GOLLOG("from :" & $INIfromname & " | " & $INIfromaddress) GOLLOG("to :" & $INItomail & " | subject: " & $INImailsubject) Local $reporttext = _ArrayToString($report) GOLLOG("text :" & $reporttext) Else Local $iResponse = _INetSmtpMail($INIsmpt, $INIfromname, $INIfromaddress, $INItomail, $INImailsubject, $report, "EHLO " & @ComputerName, "-1") ; perla pearl mail send HS smtp (ehlo required) Local $iErr = @error If $iResponse = 1 Then GOLLOG("Success! " & "Mail sent") Else GOLLOG("Error! " & "Mail failed with error code " & $iErr) EndIf EndIf EndIf GOLLOG("checked n° " & $conta1 & " users") Else GOLLOG("error in user search " & @error) EndIf _AD_Close() EndFunc ;==>loaduserS Func dataITA($inputdate) ; Input date in the format "YYYY/MM/DD[ HH:MM:SS]", and translates Tuesday 8 May 2018 -> Martedì 8 maggio 2018 - perla pearl Local $stringaDATAita = _DateTimeFormat($inputdate, 1) Select Case StringInStr($stringaDATAita, "Monday") $stringaDATAita = StringReplace($stringaDATAita, "Monday", "lunedi'") Case StringInStr($stringaDATAita, "Tuesday") $stringaDATAita = StringReplace($stringaDATAita, "Tuesday", "martedi'") Case StringInStr($stringaDATAita, "Wednesday") $stringaDATAita = StringReplace($stringaDATAita, "Wednesday", "mercoledi'") Case StringInStr($stringaDATAita, "Thursday") $stringaDATAita = StringReplace($stringaDATAita, "Thursday", "giovedi'") Case StringInStr($stringaDATAita, "Friday") $stringaDATAita = StringReplace($stringaDATAita, "Friday", "venerdi'") Case StringInStr($stringaDATAita, "Saturday") $stringaDATAita = StringReplace($stringaDATAita, "Saturday", "sabato") Case StringInStr($stringaDATAita, "Sunday") $stringaDATAita = StringReplace($stringaDATAita, "Sunday", "Domenica") EndSelect Select Case StringInStr($stringaDATAita, "January") $stringaDATAita = StringReplace($stringaDATAita, "January", "gennaio") Case StringInStr($stringaDATAita, "February") $stringaDATAita = StringReplace($stringaDATAita, "February", "febbraio") Case StringInStr($stringaDATAita, "March") $stringaDATAita = StringReplace($stringaDATAita, "March", "marzo") Case StringInStr($stringaDATAita, "April") $stringaDATAita = StringReplace($stringaDATAita, "April", "aprile") Case StringInStr($stringaDATAita, "May") $stringaDATAita = StringReplace($stringaDATAita, "May", "maggio") Case StringInStr($stringaDATAita, "June") $stringaDATAita = StringReplace($stringaDATAita, "June", "giugno") Case StringInStr($stringaDATAita, "July") $stringaDATAita = StringReplace($stringaDATAita, "July", "luglio") Case StringInStr($stringaDATAita, "August") $stringaDATAita = StringReplace($stringaDATAita, "August", "agosto") Case StringInStr($stringaDATAita, "September") $stringaDATAita = StringReplace($stringaDATAita, "September", "settembre") Case StringInStr($stringaDATAita, "October") $stringaDATAita = StringReplace($stringaDATAita, "October", "ottobre") Case StringInStr($stringaDATAita, "November") $stringaDATAita = StringReplace($stringaDATAita, "November", "novembre") Case StringInStr($stringaDATAita, "December") $stringaDATAita = StringReplace($stringaDATAita, "December", "dicembre") EndSelect Return ($stringaDATAita) EndFunc ;==>dataITA Func GOLLOG($logtext) ; Gollog V.2.3 gestione CRLF si o no ; gestione a capo automatico oltre i xx caratteri; gestione pulitura ogni totmila char Perla pearl ; basta aggiungere |nocrlf50 a fine stringa, dove 50 sono gli xx caratteri, conta la prima riga dove si supera quel limite. ; to declare $gollogcount = 0,$lastlog="sicrlf",$cachelog="",$guititle = "nomegui",$Gollogedit,$logfile = @ScriptDir & "\GOLLOG_LOG_", $months2NOTzip = 3 ; e anche le misure dell'edit: $geleft = 32, $getop = 32, $gewidth = 553, $geheight = 377 ; #include <File.au3> #include <GuiEdit.au3> #include <_zip.au3> ; to insert FUNCs: GOLLOG CLEANEDIT GOLzipZIP $gollogcount += StringLen($logtext) ;Local $logfile = @ScriptDir & "\GOLLOG_LOG_" ; now global Local $logfiletimerange = @YEAR & @MON Local $linelimit = StringRight($logtext, 2) If StringRight($logtext, 9) = "|nocrlf" & $linelimit Then $logtext = StringTrimRight($logtext, 9) Local $acapo = "no" Else Local $acapo = "si" $gollogcount += 4 If $gollogcount > 13000 Then Sleep(3000) cleanedit() ; MsgBox(64, "debug", $conta) $gollogcount = 0 EndIf EndIf If $acapo = "no" And (StringLen($cachelog) <= $linelimit) Then ;pearl perla non a capo se If $lastlog = "nocrlf" Then If WinExists($guititle) Then ; per non scrivere in gui se questa non esiste _GUICtrlEdit_AppendText($Gollogedit, $logtext) EndIf Else If WinExists($guititle) Then ; per non scrivere in gui se questa non esiste _GUICtrlEdit_AppendText($Gollogedit, @MDAY & "/" & @MON & "_" & @HOUR & ":" & @MIN & " " & $logtext) EndIf EndIf $cachelog = $cachelog & $logtext $lastlog = "nocrlf" Else If $lastlog = "nocrlf" Then If WinExists($guititle) Then ; per non scrivere in gui se questa non esiste _GUICtrlEdit_AppendText($Gollogedit, $logtext & @CRLF) EndIf $cachelog = $cachelog & $logtext _FileWriteLog($logfile & $logfiletimerange & ".txt", $cachelog) $cachelog = "" Else If WinExists($guititle) Then ; per non scrivere in gui se questa non esiste _GUICtrlEdit_AppendText($Gollogedit, @MDAY & "/" & @MON & "_" & @HOUR & ":" & @MIN & " " & $logtext & @CRLF) EndIf _FileWriteLog($logfile & $logfiletimerange & ".txt", $logtext) EndIf $lastlog = "sicrlf" EndIf EndFunc ;==>GOLLOG Func cleanedit() ; cleaning of edit every n° lines (in program put if $nlines > xlines then this function) GUICtrlDelete($Gollogedit) $Gollogedit = GUICtrlCreateEdit("", $geleft, $getop, $gewidth, $geheight) ;, BitOR($ES_AUTOVSCROLL, $ES_AUTOHSCROLL, $ES_WANTRETURN, $WS_BORDER)) GUICtrlSetData(-1, "" & @CRLF) GUICtrlSetFont(-1, 9, 800, 0, "consolas") GUICtrlSetColor(-1, 0090608) GUICtrlSetBkColor(-1, 0xF0DAE5) GUICtrlSetCursor(-1, 3) EndFunc ;==>cleanedit Func GOLzipLOG($months2NOTzip) ; zipping old log leaving unzipped only n months GOLLOG("Starting old logs zipping..") ; path extraction zone Local $logfiletimerange = @YEAR & @MON Local $sDrive = "", $sDir = "", $sFileName = "", $sExtension = "" Local $arraylogpath = _PathSplit($logfile & $logfiletimerange & ".txt", $sDrive, $sDir, $sFileName, $sExtension) Local $logpath = $arraylogpath[1] & $arraylogpath[2] Local $hSearch = FileFindFirstFile($logfile & "*.txt") ; searching for logs Local $logconta = 0 While 1 ; single file processing cycle Local $sFileName = FileFindNextFile($hSearch) ; If there is no more file matching the search. If @error Then ExitLoop Local $stringtime = StringTrimRight(StringRight($sFileName, 10), 4) ;obtaining year-month like 201609 If $logfiletimerange - $stringtime > $months2NOTzip Then ;zipping If Not FileExists($logfile & ".zip") Then If Not _Zip_Create($logfile & ".zip", 1) Then GOLLOG("Error " & @error & " creating " & $logfile & ".zip") Else GOLLOG("Created new log archive: " & $logfile & ".zip") EndIf Else GOLLOG("adding to archive: " & $logfile & ".zip") EndIf If Not _zip_additem($logfile & ".zip", $logpath & $sFileName) Then GOLLOG("Error " & @error & " zipping: " & $logpath & $sFileName) Else GOLLOG("Added: " & $logpath & $sFileName) $logconta += 1 If Not FileDelete($logpath & $sFileName) Then GOLLOG("ERROR - Unable to DELETE log file " & $logpath & $sFileName) EndIf EndIf EndIf WEnd GOLLOG("Finished = " & $logconta & " log files zipped") EndFunc ;==>GOLzipLOG Func CFGctrl() ; check ini files and load section names GOLLOG("checkin' INI file..|nocrlf50") If FileExists($inifile) Then $guiactive = IniRead($inifile, "general", "GUI", "?") If $guiactive = "?" Then GOLLOG("INI incomplete, missing section 'general', value GUI") ExitwithError() EndIf $flagITA = IniRead($inifile, "general", "dataITA", "?") If $flagITA = "?" Then GOLLOG("INI incomplete, missing section 'general', value dataITA") ExitwithError() EndIf $flagpwdLastSet = IniRead($inifile, "general", "pwdLastSet", "?") If $flagpwdLastSet = "?" Then GOLLOG("INI incomplete, missing section 'general', value pwdLastSet") ExitwithError() EndIf GOLLOG("reading section names...|nocrlf50") $arrayINIsections = IniReadSectionNames($inifile) GOLLOG("N°" & $arrayINIsections[0] - 1 & " groups to process") Else $message1 = "error: no saved settings !?" GOLLOG($message1) ExitwithError() EndIf GOLLOG("..completed") EndFunc ;==>CFGctrl Func CFGload($section) ; load single ini file section values $INIgroup = IniRead($inifile, $section, "group", "?") $INItomail = IniRead($inifile, $section, "tomail", "?") $INItosend = IniRead($inifile, $section, "tosend", "?") $INIdays1 = IniRead($inifile, $section, "days1", "?") $INIdays2 = IniRead($inifile, $section, "days2", "?") $INImailsubject = IniRead($inifile, $section, "mailsubject", "?") $INIsmpt = IniRead($inifile, $section, "smtp", "?") $INIfromname = IniRead($inifile, $section, "fromname", "?") $INIfromaddress = IniRead($inifile, $section, "fromaddress", "?") EndFunc ;==>CFGload Func ExitwithError() GOLLOG("**********ERROR and STOP****************") Exit EndFunc ;==>ExitwithError The example .ini:
       
      [group1] group=G_IT_PASSWORD_MONITORED days1=5 days2=2 tomail=yourgroup@yourdomain.it ;tosend=user; send mails to the domain user mail address, otherwise send to specified address tosend=0 ;tosend ;1 send mails, 0 disable mails for testing mailsubject=Domain users going to expire passwords smtp=smtp.your.own.server fromname=Password Expiration Guardian fromaddress=PEG@NSC.it [group2] group=G_IT_PASSWORD_NOTIFIED days1=5 days2=2 tomail=user ;tosend=user; send mails to the domain user mail address, otherwise send to specified address tosend=0 ;tosend ;1 send mails, 0 disable mails for testing mailsubject=Password is expiring ! smtp=smtp.your.own.server fromname=Password Expiration Guardian fromaddress=PEG@NSC.it [general] GUI=1 ;1 gui ON for testing, 0 gui disabled dataITA = 1 ;1 translates datetime in italian, 0 for ENG pwdLastSet = 0 ;1 tries to reset the 'pwdLastSet' attribute (you must have permissions), 0 do nothing  
       
    • Overkill
      By Overkill
      Hi all,
      I am working on a GUI program to update Google's Dynamic DNS (API at https://support.google.com/domains/answer/6147083?authuser=1&hl=en if you scroll to bottom). I am not a programmer by any means - just a sysadmin who has picked up on some things along the way. I am sure that there's better ways to do a lot of things in this script; I'm just going with what I know.
      My challenge right now is that I'd like a better way to store the credentials both in memory as well as in system registry or INI file (not sure which way I want to go for local storage). How should I convert the passwords to a secure string in a manner that can't be easily reversed, yet is still accessible to the script? Is that even an option in AutoIt?
      Can anybody provide me with links to good reference posts, or coding suggestions for how best to achieve this in the script below? I am using the WinHTTP UDF (https://github.com/dragana-r/autoit-winhttp/releases) to make my API calls.
      #include<WinHTTP.au3> #include<GUIConstantsEx.au3> #include<EditConstants.au3> #include<iNet.au3> #include<Array.au3> DIM $aDomainList[1][4] $aDomainList[0][0] = 0 $gMainGUI = GUICreate("Overkill's Google DNS Updater",800,800) $gDomainLabel = GUICtrlCreateLabel("FQDN",21,8) $gDomainInput = GUICtrlCreateInput("",60,5,300) $gUserLabel = GUICtrlCreateLabel("Username",5,36) $gUserInput = GUICtrlCreateInput("",60,32,130,Default,BitOR($GUI_SS_DEFAULT_INPUT,$ES_PASSWORD)) $gPasswordLabel = GUICtrlCreateLabel("Password",6,64) $gPassInput = GUICtrlCreateInput("",60,60,130,Default,BitOR($GUI_SS_DEFAULT_INPUT,$ES_PASSWORD)) $gAddButton = GUICtrlCreateButton("ADD DOMAIN",200,31,160,52) $gCurrentIP = GUICtrlCreateLabel("Current IP: " & _CheckIP(),5,780) $gDomainList = GUICtrlCreateListView("Domain | Resolved IP | Update Status",5,120,600,600) GUISetState(@SW_SHOW,$gMainGUI) while 1 $m = GUIGetMsg() IF $M = $GUI_EVENT_CLOSE then Exit IF $M = $gAddButton Then $sAddDomain = GUICtrlRead($gDomainInput) $sAddUser = GUICtrlRead($gUserInput) $sAddPass = GUICtrlRead($gPassInput) $sResolveIP = _DNSCheck($sAddDomain) ;Google wants you to avoid sending updates when there are no changes If StringCompare($sResolveIP,_CheckIP()) = 0 Then $sStatus = "No change, not sending update" Else $sStatus = _DNSUpdate($sAddDomain,$sAddUser,$sAddPass) EndIf ;Check to make sure all fields are completed before continuing IF StringLen($sAddDomain) = 0 OR StringLen($sAddUser) = 0 OR StringLen($sAddPass) = 0 Then MsgBox(0,"","Please complete all fields") Else ; If the fields all have data, then continue ;Check to see if the entry exists in the array already $iSanity = _ArraySearch($aDomainList,$sAddDomain) IF $iSanity = 0 Then _ArrayAdd($aDomainList,$sAddDomain & "|" & $sAddUser & "|" & $sAddPass ) If @error = 0 Then $aDomainList[0][0] += 1 $aDomainList[$aDomainList[0][0]][3] = GUICtrlCreateListViewItem($sAddDomain & "|" & $sResolveIP & "|" & $sStatus,$gDomainList) Else MsgBox(0,"","Error adding input to list") EndIf Else ; If $iSanity <> 0 ; Update existing info in array and listviewitem $aDomainList[$iSanity][0] = $sAddDomain $aDomainList[$iSanity][1] = $sAddUser $aDomainList[$iSanity][2] = $sAddPass GUICtrlSetData($aDomainList[$iSanity][3],$sAddDomain & "|" & $sResolveIP & "|" & $sStatus) EndIf ; If $iSanity = 0 EndIf ; If StringLen... EndIf ; If $m = $gaddbutton WEnd ;---------------------------------------------------------------------------------------- Func _DNSCheck($sFQDN) $sJSON = _INetGetSource("https://dns.google.com/resolve?name=" & $sFQDN & "&cd=1") ConsoleWrite($sJSON & @CRLF) $sIPAddress = StringRegExpReplace($sJSON,'^.*data": "(.*?)".*?$',"\1") Return $sIPAddress EndFunc ;---------------------------------------------------------------------------------------- Func _DNSUpdate($sFQDN,$sUser,$sPass) Local $sGoogleAPIURI = "https://domains.google.com" Local $hOpen = _WinHttpOpen() Local $hConnect = _WinHttpConnect($hOpen, $sGoogleAPIURI) Local $sHeader = _ 'Authorization: Basic ' & _Base64Encode($sUser & ":" & $sPass) & @CRLF & _ 'Accept: */*' & @CRLF & _ 'User-Agent: AutoITScript/' & @AutoItVersion & @CRLF & _ 'Content-Type: application/x-www-form-urlencoded' Local $aHTTPResponse = _WinHttpSimpleSSLRequest($hConnect, "POST", "/nic/update", Default, "hostname=" & $sFQDN, $sHeader, True, Default, Default, Default, True) _WinHttpCloseHandle($hConnect) _WinHttpCloseHandle($hOpen) If IsArray($aHTTPResponse) Then $sHTTPResponse = "Header:" & @CRLF & $aHTTPResponse[0] & @CRLF & "Data:" & @CRLF & $aHTTPResponse[1] & @CRLF & @CRLF & @CRLF Return $aHTTPResponse[1] Else $sHTTPResponse = "NO REPLY" Return "No reply from " & $sGoogleAPIURI EndIf EndFunc ;---------------------------------------------------------------------------------------- Func _Base64Encode($sData) Local $oXml = ObjCreate("Msxml2.DOMDocument") If Not IsObj($oXml) Then SetError(1, 1, 0) EndIf Local $oElement = $oXml.createElement("b64") If Not IsObj($oElement) Then SetError(2, 2, 0) EndIf $oElement.dataType = "bin.base64" $oElement.nodeTypedValue = Binary($sData) Local $sReturn = $oElement.Text If StringLen($sReturn) = 0 Then SetError(3, 3, 0) EndIf Return $sReturn EndFunc ;---------------------------------------------------------------------------------------- Func _CheckIP() Return _INetGetSource("https://domains.google.com/checkip") EndFunc ;----------------------------------------------------------------------------------------  
    • VIP
      By VIP
      I can not do anything with any user in the "Local Users Group"
      I tried from my account but I could not change my password (ie set new password)!
      But I was able to activate the Administrator account and I logged into the Administrator account and still could not do anything with my account! But I can set the password and disable the Administrator account from my account or Administrator.
      Any ideas? (Ignore the click on the Sign-in option in the Change Accout settings.)
       

×