Trying to Change AD password and detecting success/failure

ohaya · November 21, 2018

Hi,

I am executing a small .VBS (setpassword.vbs), to set the user password of a user in AD:

Set objUser = GetObject("LDAP://xx.xx.xx.xxx:389/cn=test,cn=users,dc=xxx,dc=com")
objUser.SetPassword "xxxxxxx"

Then in my .au3, I have:

#RequireAdmin

$return = RunWait('cscript.exe ".\setpassword.vbs"')
ToolTip("Reset the user password!")
Sleep(2000)

That works, but now, I need to add some error handling. I am checking the @error and also the $return, after the RunWait(), but that seems to be 0, regardless of whether or not the .vbs ran with or without error!

Is there a way to check whether or not the .VBS ran ok or not?

Also, FYI, I am aware of the AD UDF, but up to now, I have tried this way because I wasn't really clear about how to do it using the AD UDF, so if someone could provide a small snippet for setting the AD user password using the AD UDF, I would actually prefer to do it that way and avoid the .vbs?

Thanks,

JIm

Danp2 · November 21, 2018

There's a UDF for this --

https://www.autoitscript.com/wiki/Active_Directory_UDF_-_General

ohaya · November 21, 2018

38 minutes ago, Danp2 said:

There's a UDF for this --

https://www.autoitscript.com/wiki/Active_Directory_UDF_-_General

As I said, I have been trying to "wrap my head" around using the AD UDF, but haven't made much progress.

For one thing, I put the AD.au3 into my AutoIT "includes" directory, but the editor doesn't seem to be picking up the functions from the AD UDF, e.g., if I type _AD_ it doesn't give any hints.

Also, I kind of unclear about how I am supposed to get the first parameter for the _AD_Setpassword()?

I know these are probably simple questions for someone who has used the AD UDF already, much less for someone who has worked with AutoIT for awhile, but it's a kind of "long slog" for me, which is why I tried the RunWait and VBS way, which, BTW, does work, although I don't have any error handling that way :(!!

Is there something ELSE that I am supposed to do besides putting the AD.au3 file into the "includes" dir and adding the include <AD.au3> in my .au3 to get AutoIt to recognize the AD UDF?

Thanks,

Jim

water · November 22, 2018

Did you have a look at function _AD_SetPassword in the help file that comes with the UDF? Parameter 1 is the FQDN or sAMAccountName of the user you want to set the password.

22 minutes ago, ohaya said:

For one thing, I put the AD.au3 into my AutoIT "includes" directory, but the editor doesn't seem to be picking up the functions from the AD UDF, e.g., if I type _AD_ it doesn't give any hints.

The editor does not automatically import functions from user written UDFs for tooltips etc. I'm not at my WIndows PC at the moment, so can't tell which SciTE tool to use to import them.
Anyway, scripts should work without full SciTE integration.

ohaya · November 22, 2018

@water

Thanks. Now I don't worry about that piece at least :).

Ok, I am still struggling to come up to speed on USING AD UDF though, and I am look at the code in AD.au3.

To be clear, what I trying to do (right now) is to SET the password of a user in the AD.

So I guess I need to use _AD_Setpassword(), but I am not sure what the first param of _AD_Setpassword() is, or where it comes from?

Looking at the AD.au3, it almost looks like I can just pass the first parameter as a string, with something like "cn=auser"???

So can I (literally) just do:

_AD_Setpassword("cn=auser", "thenewpassword") for ANY user?

Is that correct?

Jim

EDIT: Or, what else do I have to do before calling _AD_Setpassword? Looking at the code, it looks like $sAD_HostServer needs to be set before calling _AD_Setpassword()? If so, how is that $sAD_HostServer set?

Sorry, like I said, this is ALL new to me...

Edited November 22, 2018 by ohaya

water · November 22, 2018

Please have a look at the example script _AD_SetPassword.au3.
You just have to call _AD_Open and then _AD_SetPassword - that's all.
The first parameter needs to specified without "CN=". Assume you login to your PC with the username "test", then this would be the value for parameter 1.

ohaya · November 22, 2018

Hi,

AHHH :)!!

I misunderstanding the whole scheme :)!!

I ASSUMED that the _AD_xxx.au3 files in the ZIP were pieces of the overall AD.au3!! But from what you are saying they are actually examples for each of the _AD_ functions :(!!!

Ok, having said that, I also made some progress, at least for the _AD_Open() part.

FYI, I think that the situation I am in, we are going to be using an admin account in the AD to log into the AD, and then want to set the password for a different user.

So I think vis-a-vis the AD UDF wiki, this would be "To another domain" scenario, and I think I was able to just get an _AD_Open() snippet working for the _AD_Open():

#include <AD.au3>

Global $userObj
Global $sDNSDomainParam     = "DC=demoad,DC=com"    
Global $sHostServerParam    = "ad10.demoad.com"     
Global $sConfigurationParam = "CN=Configuration,DC=demoad,DC=com"

Local $iResult = _AD_Open("testadmin", "xxx", $sDNSDomainParam, $sHostServerParam, $sConfigurationParam)

If ((@error = 0) and ($iResult=1)) Then
   MsgBox(4096, "_AD_Open worked", "_AD_Open worked")
Else
   MsgBox (4096, "error", "error[" & @error & "] - iResult=[" & $iResult & "]")
EndIf

_AD_Close()

That seems to work, i.e., if I put the wrong password, then it gives me a non-zero @error value, and if I put in a good password, then @error is 0 and $iResult is 1.

Is that correct?

So, now I am "logically" stuck/unclear about the _AD_Setpassword() call, since I am not logging in as the user whose password I am trying to set???

What I mean is can I just call:

_AD_Setpassword("cn=anyuser", "whateverpassword")

?

Or is there something else I need to do in order to bind or associate the logged in connection with the _AD_Setpassword() call?

water,

Thanks for sticking with me on this one! It is A LOT to swallow in one gulp :)!!

Jim

EDIT 1: FYI, I tried the _AD_Setpassword ("testuser", "xxxx") and I am getting an @error of "-2147352567".

Edited November 22, 2018 by ohaya
added @error from _AD_Setpassword()

Subz · November 22, 2018

Why don't you use _AD_SetPassword.htm example? It shows how to read the Username field and how it uses _AD_SamAccountNameToFQDN() function to obtain FQDN, it then uses this plus the password along with _AD_SetPassword() function. Normally you would compile this script as an exe first, you then perform a Shift+Right-Click, to Run-As Admin like you would for other executables that you want to Run-As another user. You should than simply enter testuser in the user name field along with a password.

ohaya · November 22, 2018

1 hour ago, Subz said:

Why don't you use _AD_SetPassword.htm example? It shows how to read the Username field and how it uses _AD_SamAccountNameToFQDN() function to obtain FQDN, it then uses this plus the password along with _AD_SetPassword() function. Normally you would compile this script as an exe first, you then perform a Shift+Right-Click, to Run-As Admin like you would for other executables that you want to Run-As another user. You should than simply enter testuser in the user name field along with a password.

Hi,

I think that I haven't been very clear about what I have been trying. In a previous message, I mentioned "So I think vis-a-vis the AD UDF wiki, this would be "To another domain" scenario". What I trying to explain by that was that I am trying to set the password in the AD, from a non-domain-member machine.

I'm not 100% sure, but I think that the example _AD_Setpassword.au3 'assumes' that the .au3/.exe is being run from either the AD machine itself, or a domain-joined member machine. That is probably why the example has just a call to "_AD_Open()", with no parameters?

Anyway, I probably should have mentioned that more clearly, and also maybe provided a screenshot of what I see when I try the example from a non-domain-member machine (see attached screenshot).

I've been trying to modify the original example to be able to run from a non-domain-member machine, but so far haven't been able to get it to work. I think I know how to change the _AD_Open() call (to "another domain" style call), but the part I don't understand is how to modify(?) the call to the _AD_Setpassword(), because that only takes the username and password, and it "seems" (just my guessing) that the _AD_Setpassword() method needs to be modified to take into account that it is being invoked on a non-domain-member machine??

Anyway, my apologies for possibly not being clear enough earlier.

Jim

water · November 22, 2018

When calling _AD_Open you connect to a domain (either the domain you are a member of when logging on to Windows or any other domain you specify in _AD_Open). Every call of an _AD_* function now uses this connection to this domain.
If the user that connects to the domain using _AD_Open has the needed permissions he can change the password of any user in this domain.
So simply call _AD_Open to open a connection and then call _AD_SetPassword.

ohaya · November 22, 2018

40 minutes ago, water said:

When calling _AD_Open you connect to a domain (either the domain you are a member of when logging on to Windows or any other domain you specify in _AD_Open). Every call of an _AD_* function now uses this connection to this domain.
If the user that connects to the domain using _AD_Open has the needed permissions he can change the password of any user in this domain.
So simply call _AD_Open to open a connection and then call _AD_SetPassword.

Hi water,

Thanks for the explanation, and yes, I just got done testing that. I used the "other domain" format of the _AD_Open call, then did the _AD_SetPassword(), which worked!!!

Cool :)!

Thanks,

Jim

P.S. I don't know if you all celebrate Thanksgiving, but if you do, then "Happy Thanksgiving"!!

water · November 22, 2018

Glad you got it working
We don't celebrate Thanksgiving here. But "Happy Thanksgiving" to you all!

ohaya · November 22, 2018

@water,

Thanks. I was reviewing my code and your wiki for the AD UDF, and for the _AD_Open() call for the "another domain" scenario, and have a question.

In the wiki example, you have:

Local $iResult = _AD_Open("", "", "DC=subdomain,DC=example,DC=com", "servername.subdomain.example.com", "CN=Configuration,DC=subdomain,DC=example,DC=com")

Local $iResult = _AD_Open("", "", "DC=subdomain,DC=example,DC=com", "servername.subdomain.example.com", "CN=Configuration,DC=subdomain,DC=example,DC=com")

I was wondering if, when connecting to the AD from a non-member, that last parameter (the "Configuration naming context" parameter) is absolutely necessary, or is that optional? I noted that the comments in the AD.au3 say that it is required (and also for my testing, I did include it), but I am just double-checking.

Thanks,

Jim

P.S. I've seen this elsewhere, but now that I am using it (and starting to understand the documentation and the examples), I think "good job" on the AD UDF :)!

water · November 22, 2018

No, $sConfigurationParam is not optional.
Parameter $sHostServerParam and $sConfigurationParam are required when $sDNSDomainParam is specified

ohaya · November 24, 2018

water,

Ok, cool thanks for the info!

Jim

Trying to Change AD password and detecting success/failure

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Recently Browsing 0 members