Hack 26 Manage User Accounts in Active Directory

figs/moderate.gif figs/hack26.gif

Use these five handy scripts to easily manage domain user accounts.

While the usual way of managing user accounts in Active Directory is to use the Active Directory Users and Computers (ADUC) console, that GUI approach to managing accounts can be tedious if your organization is large and you have many accounts to manage. This hack provides examples of scripts you can use to simplify things and speed up common administrative tasks, and I think you'll find them quite useful. You can even use some of them to delegate certain tasks to nonadministrators to save you time and trouble.

To use one of these scripts, type it into Notepad (with Word Wrap turned off) and save it with a .vbs extension. Then, type cscript.exe scriptname.vbs from a command prompt, or create a shortcut to the script and double-click on the shortcut to run the script.

Changing a User's Domain Password

This simple script allows you to give others the ability to change end users' passwords without having to install the administration tools. The script prompts for the domain, username, and new password, and notifies the user of whether the password change was successful:

Dim UserName

Dim UserDomain

UserDomain = InputBox("Enter the user's domain:")

UserName = InputBox("Enter the user's login name:")

Set User = GetObject("WinNT://" & UserDomain & "/"& UserName &"",user)

Dim NewPassword

NewPassword = InputBox("Enter new password")

Call User.SetPassword(NewPassword)

If err.number = 0 Then

Wscript.Echo "The password change was successful."


Wscript.Echo "The password change failed!"

End if

Changing User Account Names in Active Directory

Using VBScript, changing a user's account name in the Active Directory is a quick process:

Set oDomain = GetObject("WINNT:\\domainname")

Set oUser = oDomain.GetObject("originalusername")

oDomain.MoveHere oUser.AdsPath, "newusername"

You just need to connect to the specific domain (as indicated in the first line), set the original username (the second line), and then change the username using the MoveHere method (the third line). This is a much simpler process than opening up the MMC and either navigating to the username or searching the Active Directory for the account instances.

A script like this is extremely useful for occasions when names change due to things like marriage, or when the user just can't stand the name they were given for logging in.

Customize the script with the appropriate domain name (domainname), the user's old account name (originalusername), and the user's new account name (newusername).

Unlocking a Windows 2000 Domain Account

Need a quick and easy way to unlock a Windows 2000 domain account? Use VBScript. The following script prompts for the username, then the user's domain, and unlocks the specified account:

UserName = InputBox("Enter the user's login name that you want to unlock:")

DomainName = InputBox("Enter the domain name in which the user account exists:")

Set UserObj = GetObject("WinNT://"& DomainName &"/"& UserName &"")

If UserObj.IsAccountLocked = -1 then UserObj.IsAccountLocked = 0


If err.number = 0 Then

Wscript.Echo "The Account Unlock Failed. Check that the account is, " & _

"in fact, locked-out."


Wscript.Echo "The Account Unlock was Successful"

End if

Disabling a Domain Account

Use this handy VBScript to quickly disable a user account in the specified domain. This script prompts for the username and domain and then disables the account you specify:

Dim Username

Dim UserDomain

UserDomain = InputBox("Enter the user's domain:")

UserName = InputBox("Enter the user's login name:")

Set UserObj = GetObject("WinNT://" & UserDomain & "/" & Username &)

UserObj.AccountDisabled = True


Set UserObj = Nothing

Setting the Account to Not Expire

This handy script configures a user account to not expire. The script works by setting the expiration date attribute to a past date:

Set objUser = GetObject _


objUser.AccountExpirationDate = "01/01/1970"


To use the script, customize the second line as desired. For example, if the user account for user Bob Smith resides in the Sales OU in the mtit.com domain, this line should be changed to:

("LDAP://cn=Bob Smith,ou=Sales,dc=mtit,dc=com")

Be judicious in deciding which accounts should be set to not expire, as such accounts could pose a security risk. See [Hack #29] for a quick way to search for such accounts on your network.

?Rod Trent