Use these five handy scripts to easily manage domain user accounts.
While the usual way of managing user accounts in Active Directory is to use the Active Directory Users and Computers (ADUC) console, that GUI approach to managing accounts can be tedious if your organization is large and you have many accounts to manage. This hack provides examples of scripts you can use to simplify things and speed up common administrative tasks, and I think you'll find them quite useful. You can even use some of them to delegate certain tasks to nonadministrators to save you time and trouble.
To use one of these scripts, type it into Notepad (with Word Wrap turned off) and save it with a .vbs extension. Then, type cscript.exe scriptname.vbs from a command prompt, or create a shortcut to the script and double-click on the shortcut to run the script.
This simple script allows you to give others the ability to change end users' passwords without having to install the administration tools. The script prompts for the domain, username, and new password, and notifies the user of whether the password change was successful:
Dim UserName Dim UserDomain UserDomain = InputBox("Enter the user's domain:") UserName = InputBox("Enter the user's login name:") Set User = GetObject("WinNT://" & UserDomain & "/"& UserName &"",user) Dim NewPassword NewPassword = InputBox("Enter new password") Call User.SetPassword(NewPassword) If err.number = 0 Then Wscript.Echo "The password change was successful." Else Wscript.Echo "The password change failed!" End if
Using VBScript, changing a user's account name in the Active Directory is a quick process:
Set oDomain = GetObject("WINNT:\\domainname") Set oUser = oDomain.GetObject("originalusername") oDomain.MoveHere oUser.AdsPath, "newusername"
You just need to connect to the specific domain (as indicated in the first line), set the original username (the second line), and then change the username using the MoveHere method (the third line). This is a much simpler process than opening up the MMC and either navigating to the username or searching the Active Directory for the account instances.
A script like this is extremely useful for occasions when names change due to things like marriage, or when the user just can't stand the name they were given for logging in.
Customize the script with the appropriate domain name (domainname), the user's old account name (originalusername), and the user's new account name (newusername).
Need a quick and easy way to unlock a Windows 2000 domain account? Use VBScript. The following script prompts for the username, then the user's domain, and unlocks the specified account:
UserName = InputBox("Enter the user's login name that you want to unlock:") DomainName = InputBox("Enter the domain name in which the user account exists:") Set UserObj = GetObject("WinNT://"& DomainName &"/"& UserName &"") If UserObj.IsAccountLocked = -1 then UserObj.IsAccountLocked = 0 UserObj.SetInfo If err.number = 0 Then Wscript.Echo "The Account Unlock Failed. Check that the account is, " & _ "in fact, locked-out." Else Wscript.Echo "The Account Unlock was Successful" End if
Use this handy VBScript to quickly disable a user account in the specified domain. This script prompts for the username and domain and then disables the account you specify:
Dim Username Dim UserDomain UserDomain = InputBox("Enter the user's domain:") UserName = InputBox("Enter the user's login name:") Set UserObj = GetObject("WinNT://" & UserDomain & "/" & Username &) UserObj.AccountDisabled = True UserObj.SetInfo Set UserObj = Nothing
This handy script configures a user account to not expire. The script works by setting the expiration date attribute to a past date:
Set objUser = GetObject _ ("LDAP://cn=yourcontainer,ou=yourOU,dc=yourDC,dc=com") objUser.AccountExpirationDate = "01/01/1970" objUser.SetInfo
To use the script, customize the second line as desired. For example, if the user account for user Bob Smith resides in the Sales OU in the mtit.com domain, this line should be changed to:
Be judicious in deciding which accounts should be set to not expire, as such accounts could pose a security risk. See [Hack #29] for a quick way to search for such accounts on your network.