Jump to content
Sign in to follow this  
flyingboz

non-admin users change own active directory password

Recommended Posts

I'm looking at a situation where a client has an application deployed via RemoteApp, no full RDP desktop or web interface available.  As the RemoteApp is published on a network share, it is invoked via a batch file, launched via a published .rdp file.

I've run into an issue with being able to allow users to change their own passwords.  I don't want to have to deal with changing users passwords, or knowing what they are; if I expire or require a password change, the users are simply locked out, there is no opportunity for them to change their password themselves.

Ideally, I'd like to write or find a command line utility I could insert into the batch file that launches the remote app to address this deficiency.

I've poked around in the ActiveDirectory UDF, which seems to be a great tool, but without a function written for the use case where the password change is desired to be forced upon the current user ( who is NOT an admin).  

Note:  net user / domain requires admin rights.  
           pspasswd, while awesome, also requires admin rights.

Does anyone have a UDF or Function utility that they use to allow a user to change their own domain password from the command line?

I've seen a couple of powershell examples, but I'd love to be able to compile or drop in a command line oriented  passwd.exe utility that would work similarly to the *nix equivalent.  

The pspasswd sysinternals utility does not seem to  have this use case in mind -- in my tests you have to be an admin to change a password.

Edited by flyingboz

Reading the help file before you post... Not only will it make you look smarter, it will make you smarter.

Share this post


Link to post
Share on other sites

I've worked with a number of third party applications that allow single sign on as well as self-unlock and self-password reset for non-admin users. In all cases, the application uses a service account that has the rights to perform the action.

While this works, it is not ideal in AutoIt. In essence you would be doing a RunAs, and embedding credentials into a script that could be opened with minimal effort.

Share this post


Link to post
Share on other sites

Thanks for the reply / insight.  I'm not interested particularly in anything more than a command line interface to allow the user to change their own password.  While single-sign on has its uses, its not really germane to the core topic.

If I give users full remote desktop access they have the permissions to change their password via the GUI.  At its most basic, there should be a command line equivalent that asks the user to enter their old password, then their new one w/ confirmation.  Conceptually, there shouldn't need to be any additional proof that the user is who they say they are, they've already been authenticated, and the remoteapp started.

I don't think I should need a service or other 'trickery' involved, because I have access to the user environment  -- I am setting the user default printer in the batch script that runs each time they initiate the remoteapp.


Reading the help file before you post... Not only will it make you look smarter, it will make you smarter.

Share this post


Link to post
Share on other sites

While this works, it is not ideal in AutoIt. In essence you would be doing a RunAs, and embedding credentials into a script that could be opened with minimal effort.

 

Time ago, searching in Google for RunAs, in order to find some way to hide a pasword from usual users executing Admin tasks, is when i found and started to use Autoit.

 Now, i have several big projects growing for years, working fine and developped in AutoiT, that is better and gives me much more posibilities than i expected. :)

After fighting vs UAC for 9 months, because a migration from XP, and winning to NamedPipes this week, i am allmost happy.

Cheers. :shifty:


My english shucks, i know it.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Similar Content

    • By nacerbaaziz
      hello all, and welcome to this tool
      the NB-Password_generator is a small tool which allow you to create a strong passwords
      with this tool you can create a random passwords using :
      1. capital letters
      2. small letters
      3. numbers
      4. symbols
      be sure that you can check any option that  you want and uncheck what you don't want to use
      this tool allow you to create a password from 6 letters to 150 lettersNB-Password_generator.zip
      at the end please accept my greetings
      am waiting for your commants
    • By rudi
      Hello,
       
      <edit>
      In this posting below you will find a script to get an Active Directory User's Group Memberships including nested Group Memberships:
       
      </edit>
      quite a while ago I started this thread: https://www.autoitscript.com/forum/topic/193984-ad-member-of-group-in-group/
       
      #include <AD.au3> _AD_Open() $user=_AD_SamAccountNameToFQDN("ASP") $group=_AD_SamAccountNameToFQDN("daten-Bestellung-QS_lesen") $result=_AD_IsMemberOf($group,$user,false,True) ; $Group is the 1st, $User the 2nd param ConsoleWrite('@@ Debug(' & @ScriptLineNumber & ') : $result = ' & $result & @CRLF & '>Error code: ' & @error & @CRLF) ;### Debug Console _AD_Close() this works fine, thanks for the help in the other thread.
      Howto to get the "chain" of groups for nested group memberships?

      In AD.AU3 I found the function _AD_RecursiveGetMemberOf(), which might be an approach, (get all the group content then sort out what's needed), just wondering if there is another function that I've overlooked, that directly would give me the "nested membership chain" *ONLY*?
       
      Regards, Rudi.
    • By tweakster2010
      Hello All,
      It has been a long time since I posted, role changes etc involving work and I finally am back to modifying a program I write in AutoIt that has AD integration. I am at a point where we are modifying our structure where I am validating users access via what Distribution List they belong to in our AD OU's. What I have run into is the OU is a sub OU of a sub OU now. Meaning: CN=team, OU=DL, OU=Groups, DC=business.com(working), is now CN=Team, OU=SubDL, OU=DL, OU=Groups, DC=business.com (Not working).  Just curious if the AD functionality should be able to read it or maybe I am missing something?
       
      ElseIf _AD_IsMemberOf("CN=Team,OU=Distribution Lists,OU=Groups,DC=business,DC=com", $sFQDN_User) Then #works for primary Distro ElseIf _AD_IsMemberOf("CN=Team,OU=SubDL,OU=Distribution Lists,OU=Groups,DC=business,DC=com", $sFQDN_User) Then #fails for subOU of DL How I am accessing AD to get the information:
      _AD_Open() Global $aUser = _AD_GetObjectsInOU("", "(&(objectCategory=person)(objectClass=user)(samaccountname=" & @UserName & "))", 2, "ADsPath,Displayname,distinguishedName") Global $sDisplayName0 = $aUser[1][1] ; Displayname ;MsgBox(0,"", $sDisplayName0) If StringLeft($sDisplayName0, 2) = "9-" Then $Displaynamestring = StringTrimLeft($sDisplayName0, 2) $Displaynamestring1 = StringTrimRight($Displaynamestring, 6) The error code generated is a 1 with a 0 extended. I assume it is because it cannot find the SubOU.
       
      Thanks for any assistance.
    • By antmar904
      I'm trying to read all cells used in column "C" in excel to an array but not sure how.
       
      Local $NameArray = _Excel_RangeRead($oWorkbook, $oWorkbook.Activesheet, $oWorkbook.Range["C"].End)  
    • By Blois
      Hey Guys,
      Good?
      I'm ned help to consult in other domain. My three domain contains any domains.
      How do I get this query done?
       
      Tks for the Help!
       
×
×
  • Create New...