Jump to content
Sign in to follow this  
flyingboz

non-admin users change own active directory password

Recommended Posts

flyingboz

I'm looking at a situation where a client has an application deployed via RemoteApp, no full RDP desktop or web interface available.  As the RemoteApp is published on a network share, it is invoked via a batch file, launched via a published .rdp file.

I've run into an issue with being able to allow users to change their own passwords.  I don't want to have to deal with changing users passwords, or knowing what they are; if I expire or require a password change, the users are simply locked out, there is no opportunity for them to change their password themselves.

Ideally, I'd like to write or find a command line utility I could insert into the batch file that launches the remote app to address this deficiency.

I've poked around in the ActiveDirectory UDF, which seems to be a great tool, but without a function written for the use case where the password change is desired to be forced upon the current user ( who is NOT an admin).  

Note:  net user / domain requires admin rights.  
           pspasswd, while awesome, also requires admin rights.

Does anyone have a UDF or Function utility that they use to allow a user to change their own domain password from the command line?

I've seen a couple of powershell examples, but I'd love to be able to compile or drop in a command line oriented  passwd.exe utility that would work similarly to the *nix equivalent.  

The pspasswd sysinternals utility does not seem to  have this use case in mind -- in my tests you have to be an admin to change a password.

Edited by flyingboz

Reading the help file before you post... Not only will it make you look smarter, it will make you smarter.

Share this post


Link to post
Share on other sites
JLogan3o13

I've worked with a number of third party applications that allow single sign on as well as self-unlock and self-password reset for non-admin users. In all cases, the application uses a service account that has the rights to perform the action.

While this works, it is not ideal in AutoIt. In essence you would be doing a RunAs, and embedding credentials into a script that could be opened with minimal effort.


√-1 2^3 ∑ π, and it was delicious!

Share this post


Link to post
Share on other sites
flyingboz

Thanks for the reply / insight.  I'm not interested particularly in anything more than a command line interface to allow the user to change their own password.  While single-sign on has its uses, its not really germane to the core topic.

If I give users full remote desktop access they have the permissions to change their password via the GUI.  At its most basic, there should be a command line equivalent that asks the user to enter their old password, then their new one w/ confirmation.  Conceptually, there shouldn't need to be any additional proof that the user is who they say they are, they've already been authenticated, and the remoteapp started.

I don't think I should need a service or other 'trickery' involved, because I have access to the user environment  -- I am setting the user default printer in the batch script that runs each time they initiate the remoteapp.


Reading the help file before you post... Not only will it make you look smarter, it will make you smarter.

Share this post


Link to post
Share on other sites
zalomalo

While this works, it is not ideal in AutoIt. In essence you would be doing a RunAs, and embedding credentials into a script that could be opened with minimal effort.

 

Time ago, searching in Google for RunAs, in order to find some way to hide a pasword from usual users executing Admin tasks, is when i found and started to use Autoit.

 Now, i have several big projects growing for years, working fine and developped in AutoiT, that is better and gives me much more posibilities than i expected. :)

After fighting vs UAC for 9 months, because a migration from XP, and winning to NamedPipes this week, i am allmost happy.

Cheers. :shifty:


My english shucks, i know it.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Similar Content

    • tweakster2010
      By tweakster2010
      Hello All,
      It has been a long time since I posted, role changes etc involving work and I finally am back to modifying a program I write in AutoIt that has AD integration. I am at a point where we are modifying our structure where I am validating users access via what Distribution List they belong to in our AD OU's. What I have run into is the OU is a sub OU of a sub OU now. Meaning: CN=team, OU=DL, OU=Groups, DC=business.com(working), is now CN=Team, OU=SubDL, OU=DL, OU=Groups, DC=business.com (Not working).  Just curious if the AD functionality should be able to read it or maybe I am missing something?
       
      ElseIf _AD_IsMemberOf("CN=Team,OU=Distribution Lists,OU=Groups,DC=business,DC=com", $sFQDN_User) Then #works for primary Distro ElseIf _AD_IsMemberOf("CN=Team,OU=SubDL,OU=Distribution Lists,OU=Groups,DC=business,DC=com", $sFQDN_User) Then #fails for subOU of DL How I am accessing AD to get the information:
      _AD_Open() Global $aUser = _AD_GetObjectsInOU("", "(&(objectCategory=person)(objectClass=user)(samaccountname=" & @UserName & "))", 2, "ADsPath,Displayname,distinguishedName") Global $sDisplayName0 = $aUser[1][1] ; Displayname ;MsgBox(0,"", $sDisplayName0) If StringLeft($sDisplayName0, 2) = "9-" Then $Displaynamestring = StringTrimLeft($sDisplayName0, 2) $Displaynamestring1 = StringTrimRight($Displaynamestring, 6) The error code generated is a 1 with a 0 extended. I assume it is because it cannot find the SubOU.
       
      Thanks for any assistance.
    • antmar904
      By antmar904
      I'm trying to read all cells used in column "C" in excel to an array but not sure how.
       
      Local $NameArray = _Excel_RangeRead($oWorkbook, $oWorkbook.Activesheet, $oWorkbook.Range["C"].End)  
    • Blois
      By Blois
      Hey Guys,
      Good?
      I'm ned help to consult in other domain. My three domain contains any domains.
      How do I get this query done?
       
      Tks for the Help!
       
    • Gowrisankar
      By Gowrisankar
      Dear members of the forum,
      I need to open excel files that may or may not need a password and finally move the files that needs password to manual queue.
      Is there a fastest way to do this?
       
      PS: I have a huge respect for the rules of this forum. I am not asking assistance to override any security measure. I just need to segregate the files that needs passwords.
    • rudi
      By rudi
      Hello,
       
      from this posting of @Jos https://www.autoitscript.com/forum/topic/162005-getting-windows-users-account-type/?do=findComment&comment=1176831
      I can smoothly check, if a user is a *DIRECT* group member. Has anybody some code to check also, if a user is a *INDIRECT* member of a cascaded group construct?  Maybe with @Melba23 's AD UDF?
       
      The required rights are granted to group "Dept_B" User John is member of group "Dept_A" Group "Dept_A" is member of the group "Dept_B" So in the AD / NTFS FS environment John finally has the rights of both groups But when checking his "membership to group Dept_B" the result is "no member". The approach I can think of would be, to check all Group Members of group "Dept_B" whether they are of type group, then check again if "John" is member of than " 2nd level group"
      Func UserInGroup($InGroup,$ThisUser=@LogonDomain & "/" & @UserName) Local $objUser = ObjGet("WinNT://" & $ThisUser ) For $oGroup in $objUser.Groups If $oGroup.Name = $InGroup Then Return 1 EndIf Next Return 0 EndFunc Any suggestions appreciated, regards, Rudi.
×