1. Home
  2. Microsoft Products
  3. Windows Server Hack

Hack 26 Manage User Accounts in Active Directory

figs/moderate.gif figs/hack26.gif

Use these five handy scripts to easily manage domain user accounts.

While the usual way of managing user accounts in Active Directory is to use the Active Directory Users and Computers (ADUC) console, that GUI approach to managing accounts can be tedious if your organization is large and you have many accounts to manage. This hack provides examples of scripts you can use to simplify things and speed up common administrative tasks, and I think you'll find them quite useful. You can even use some of them to delegate certain tasks to nonadministrators to save you time and trouble.

To use one of these scripts, type it into Notepad (with Word Wrap turned off) and save it with a .vbs extension. Then, type cscript.exe scriptname.vbs from a command prompt, or create a shortcut to the script and double-click on the shortcut to run the script.

Changing a User's Domain Password

This simple script allows you to give others the ability to change end users' passwords without having to install the administration tools. The script prompts for the domain, username, and new password, and notifies the user of whether the password change was successful:

Dim UserName

Dim UserDomain

UserDomain = InputBox("Enter the user's domain:")

UserName = InputBox("Enter the user's login name:")

Set User = GetObject("WinNT://" & UserDomain & "/"& UserName &"",user)



Dim NewPassword

NewPassword = InputBox("Enter new password")

Call User.SetPassword(NewPassword)



If err.number = 0 Then

Wscript.Echo "The password change was successful."

Else

Wscript.Echo "The password change failed!"

End if

Changing User Account Names in Active Directory

Using VBScript, changing a user's account name in the Active Directory is a quick process:

Set oDomain = GetObject("WINNT:\\domainname")

Set oUser = oDomain.GetObject("originalusername")

oDomain.MoveHere oUser.AdsPath, "newusername"

You just need to connect to the specific domain (as indicated in the first line), set the original username (the second line), and then change the username using the MoveHere method (the third line). This is a much simpler process than opening up the MMC and either navigating to the username or searching the Active Directory for the account instances.

A script like this is extremely useful for occasions when names change due to things like marriage, or when the user just can't stand the name they were given for logging in.

Customize the script with the appropriate domain name (domainname), the user's old account name (originalusername), and the user's new account name (newusername).

Unlocking a Windows 2000 Domain Account

Need a quick and easy way to unlock a Windows 2000 domain account? Use VBScript. The following script prompts for the username, then the user's domain, and unlocks the specified account:

UserName = InputBox("Enter the user's login name that you want to unlock:")



DomainName = InputBox("Enter the domain name in which the user account exists:")



Set UserObj = GetObject("WinNT://"& DomainName &"/"& UserName &"")

If UserObj.IsAccountLocked = -1 then UserObj.IsAccountLocked = 0

UserObj.SetInfo



If err.number = 0 Then

Wscript.Echo "The Account Unlock Failed. Check that the account is, " & _

"in fact, locked-out."

Else

Wscript.Echo "The Account Unlock was Successful"

End if

Disabling a Domain Account

Use this handy VBScript to quickly disable a user account in the specified domain. This script prompts for the username and domain and then disables the account you specify:

Dim Username

Dim UserDomain

UserDomain = InputBox("Enter the user's domain:")

UserName = InputBox("Enter the user's login name:")

Set UserObj = GetObject("WinNT://" & UserDomain & "/" & Username &)

UserObj.AccountDisabled = True

UserObj.SetInfo

Set UserObj = Nothing

Setting the Account to Not Expire

This handy script configures a user account to not expire. The script works by setting the expiration date attribute to a past date:

Set objUser = GetObject _

("LDAP://cn=yourcontainer,ou=yourOU,dc=yourDC,dc=com")

objUser.AccountExpirationDate = "01/01/1970"

objUser.SetInfo

To use the script, customize the second line as desired. For example, if the user account for user Bob Smith resides in the Sales OU in the mtit.com domain, this line should be changed to:

("LDAP://cn=Bob Smith,ou=Sales,dc=mtit,dc=com")

Be judicious in deciding which accounts should be set to not expire, as such accounts could pose a security risk. See [Hack #29] for a quick way to search for such accounts on your network.

?Rod Trent



    		Windows Server Hacks
    		Credits
    		Foreword: I'm a Sci-Fi freak
    		Preface
    		Chapter 1. General Administration
    		Chapter 2. Active Directory
    		Chapter 3. User Management
    		Hacks #25-35
    		Hack 25 Search for Domain Users
    		Hack 26 Manage User Accounts in Active Directory
    		Hack 27 Get a List of Disabled Accounts
    		Hack 28 Get User Account Information
    		Hack 29 Check for Passwords that Never Expire
    		Hack 30 Enumerate Group Membership to a CSV File
    		Hack 31 Modify User Properties for All Users in a Particular OU
    		Hack 32 Check Group Membership and Map Drives in a Logon Script
    		Hack 33 Script Creation of a User's Home Directory and Permissions
    		Hack 34 Prevent Ordinary Users from Creating Local Accounts
    		Hack 35 Put a Logoff Icon on the Desktop
    		Chapter 4. Networking Services
    		Chapter 5. File and Print
    		Chapter 6. IIS
    		Chapter 7. Deployment
    		Chapter 8. Security
    		Chapter 9. Patch Management
    		Chapter 10. Backup and Recovery
    		Colophon