Announcement

Collapse
No announcement yet.

change password... without knowning current

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • change password... without knowning current

    Hi,

    Working for the University, and I work in a certain department... we get lots and lots of students saying their lost the password, or forgotten it, or whatever else it.

    Students have two accounts, a campus wide account, and then our department account.

    So currently, I have 3 Domain Controllers, 2 2k3, and 1 2k8, with 2k3 being FSMO.
    Students log into Novell Servers on the campus.
    Students log into Active Directory in our Department.

    My idea if possible to do is....
    btw, they have the same username on both campus and departmental machines.

    So, they login into their campus account on the machine, then I want this machine to load up something that will allow them to change their current password without them even knowing it...

    This is because we get about 10 students per every week.

    But, we want them to login into a machine, machine loads a script, webpage or something that allows them to change their active directory password without them knowing their current password.

    So does something like this exist or be implemented?

    Many thanks

  • #2
    Re: change password... without knowning current

    Any solution implicit that everyone can change other's password too and can access his/herprivate data, are you sure that is what you want?

    To give user 'Reset Password' permissoons you should edit the permissions on the user objects - ADD the reset password permissions to SELF (http://forums.petri.com/showthread.p...480#post244480)

    /Rems

    This posting is provided "AS IS" with no warranties, and confers no rights.

    __________________

    ** Remember to give credit where credit's due **
    and leave Reputation Points for meaningful posts

    Comment


    • #3
      Re: change password... without knowning current

      Well, we only want them to change their own password only, but without them knowing what the current password is.

      Ok,

      Students on campus (the university) have an account such as 'acp11abc', they also have a account on our AD 'acp11abc' in our department.

      This machine has campus login, so students login with their campus account first, machine says "ok you're acp11abc, you now can change your AD password for acp11abc'

      And only allows that user to change their own account's password, without knowing their AD password.

      So basically, it is secure

      Comment


      • #4
        Re: change password... without knowning current

        Instead giving the students permissions to reset his/her own password Delegate control to a new created group in AD. Allow this group "Reset passwords" for all user account in an OU (remove the "and force password change at next logon" permision manually afterwards).

        Create a new dedicated user account and make it member of the group.
        Use the credentials of this account to authenticate with a DC (server bind with alternate credentials), then this acount resets the password of the user in AD that has the same logon name as the cutrrenly logged-on user.

        I can help writing a vbs script. The vbs script will be saved locally on the computer(s) and run as a User logonscript.

        The script can eighter ask the user to enter a new password (but this could give problems if the entered password is not matching the password policies of the domain), or the script generates a complex password and the user does not know this password. The choice depends on what the user like to do in the domain.
        If it just is for accessing a file server in the domain I would choose the latter, then the script binds to the file server using the credentials of the student. It can map a drive.

        Note! the credentials of the account that conncets to ADO will be visible in plain text in the script.


        /Rems

        This posting is provided "AS IS" with no warranties, and confers no rights.

        __________________

        ** Remember to give credit where credit's due **
        and leave Reputation Points for meaningful posts

        Comment


        • #5
          Re: change password... without knowning current

          OK, I be so happy if you can help me with this.
          I don't know anything about vbs,

          I do have password policies enabled,
          8 characters+
          and complexity

          The students logging to windows 7, linux, and webserver, and file servers, that all authenticate to the AD...

          But that, we only want the user to login into the 'campus' machine, vbs script to reset his/her password, and then log out of the machine... then user will start using his/her new password on the normal departmental machines, which includes Windows 7, Linux, Webservers, File Servers... etc, they all authenticate to the windows AD.

          many thanks for this

          Comment


          • #6
            Re: change password... without knowning current

            OK,
            it is going to be a script that I cannot test completely from here. But I am positive it will work, and also run on windows computers that are not member of the domain but able to find a specified dc over the netwerk in the other domain.

            Firstly you should create a new security group in AD (i.e. ALLOW_RESET_USER_PASSWORDS )
            After that, Right click on the OU where the objects of the aimed users are housed.
            and select Delegate Control
            add the group you just created to delegate control to.
            Next, check the task "Reset user passwords and force password change at next logon"
            click Next/Finish to complete.

            IMPORTANT ! : force password change at next logon is what actually you do not want to happen, therefore
            Right click the same OU again and select Properties.
            (make sure the view 'Avanced Features' was checked in advance).
            At the Properties windows of the OU go to the tab "Security"
            click the "Advanced" button.
            Notice that the group you just added is being listed twice in the list.
            Edit the one entry that give to this group Read and Write "PwdLastSet" permissions - You should at leased untick "Write PwdLastSet" (you can untick both).
            So... The group should just given the permision to Reset passwords, that is what
            is being done with the other entry.
            And it must be disallowed to change the PwdLastSet attribute, that is what you just take care off.
            Finally create a dedicated new user account, its credentials will be hardcoded in the script. The credentials will be used for making the connection to AD and reset the user's password when the script is started.
            Make this new account a member of the group jou created earlier.

            I will post the script when it is finished. Because vbs scripts are plain text files and the credentials of the dedicated account required to be coded in the script I current am playing with the code how to make it less obvious that actually alternate credentials are used in there. Additionally also like to hide the credentials in one string that is converted to hexadecimal (optionally it would be possible to store the hexadecimal sting, containing the credentials, locally in the registry instead of in the script itself). Finally it is recommend to encode the entire script using Windows Script Encoder) or to compile it to an exe file.
            I should inform that scripts acutally should never contain credentials of a powerfull account. If a user find out credentials were coded there somewhere in the script, and realy like to discover them, I am sure s/he will be succesefull at the end.

            /Rems

            This posting is provided "AS IS" with no warranties, and confers no rights.

            __________________

            ** Remember to give credit where credit's due **
            and leave Reputation Points for meaningful posts

            Comment


            • #7
              Re: change password... without knowning current

              Just wondering....
              The students LOG INTO their campus machine.... then they say they have LOST their password (paraphrase of original post)

              Sounds as if user education is more important than a "solution" that will just encourage lazyness!
              Tom Jones
              MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
              PhD, MSc, FIAP, MIITT
              IT Trainer / Consultant
              Ossian Ltd
              Scotland

              ** Remember to give credit where credit is due and leave reputation points where appropriate **

              Comment


              • #8
                Re: change password... without knowning current

                Here is the script (attachted as txt file to this post, because it'd be to long if I past it here. After dowload change the extension to .vbs)

                Please read prerequirements for delegation of the reset password task and further notes here: http://forums.petri.com/showpost.php...70&postcount=6

                The script is using alternate credentials to authenticate with a defined domain controler in the defined domain.
                (is making a 'server bind' to use ADO, as explained here http://www.rlmueller.net/ADOAltCredentials.htm)

                Mind the Const STRINGS = 0 at the beginning of the file!
                It should have the value zero when running the script for the first time. On the first run it will ask you for the domain name, username and password of the decicated account that has permisions to reset password. The script now returns a code line.
                Copy the line and replace the current line Const STRINGS = 0 with the new line.
                After that the script is ready to use. It is better though to encode or even better to encrypt or compile the vbs file to exe (not by creating a simple selfextracting-selfinstalling exe file of course). (Additionally it is possible Use NTFS Alternate Data Streams to hide the entire file from the file system and protecting this way the content even more).

                Users can execute the script via a shortcut or launcher, or it can run as logon script.


                <see attached file>
                After the first run, you could clean up some functions from the script if you like.


                /Rems
                Attached Files
                Last edited by Rems; 5th February 2012, 23:37.

                This posting is provided "AS IS" with no warranties, and confers no rights.

                __________________

                ** Remember to give credit where credit's due **
                and leave Reputation Points for meaningful posts

                Comment


                • #9
                  Re: change password... without knowning current

                  Many thanks Rems,

                  Currently, I get a error
                  Windows Script Host
                  Error Code: 1A8 (424)
                  Object Required Microsoft VBSScript runtime error.

                  So I am not sure if I got the domain name, server name, correct.
                  But I just thought on, if won't actually work because of different VLAN's, and 'domain' won't be seen on campus, only works within our departments network, although, I probably can get a 'campus' machine to work within our departments VLAN, that will authenticate to the campus network, but that's another step.

                  But I do have another solution to solve this,
                  by not using campus machine.. but rather using a webpage.

                  SSL, They login to one of our department webpages that authenticates them towards campus servers, then something on the webpage that says 'you're abc, heres a list of things you can do' i.e 'reset password'

                  But that be using cgi, perl, or something so no code will be seen, as it's on the backend.

                  will get the vbs to work anyway, any help on the error code though?

                  Many thanks

                  Comment


                  • #10
                    Re: change password... without knowning current

                    Originally posted by plawlor View Post
                    Many thanks Rems,

                    Currently, I get a error
                    Windows Script Host
                    Error Code: 1A8 (424)
                    Object Required Microsoft VBSScript runtime error.

                    So I am not sure if I got the domain name, server name, correct.
                    <...>
                    will get the vbs to work anyway, any help on the error code though?

                    Many thanks
                    The campus computer should be able to contact the dc of course. Is the dc pingable from the campus pc?
                    If you copied the script and only have changed the dn of the domain and ip or name of the dc then the error mostlikely indicates the specified dc cannot be found or there is a typo in the dn name of the domain.

                    /Rems

                    This posting is provided "AS IS" with no warranties, and confers no rights.

                    __________________

                    ** Remember to give credit where credit's due **
                    and leave Reputation Points for meaningful posts

                    Comment


                    • #11
                      Re: change password... without knowning current

                      I can ping DC.dcs.name.xx.uk
                      Can't ping DC.DOMAIN.dcs.name.xx.uk
                      On campus machine,

                      I can ping DC.dcs.name.xx.uk
                      and DC.DOMAIN.dcs.name.xx.uk
                      on same VLAN machine.

                      But I am actually trying the script on the same VLAN before putting it on campus machine, which is where I am getting the error from

                      I now have a different error, can't remember what I changed what I changed to this error, but I do remember installing the script encode on the machine, after i got that first error.

                      Error Code: 46 (70)
                      Permission denied Microsoft VBScript runtime error

                      also is it possible to make the script to display the username ?

                      Comment


                      • #12
                        Re: change password... without knowning current

                        Make sure the name of the dc can be resolved on the campus network. And if there is no routing configured between both networks then of course you can't run the script from a campus machine, If there is.. then you might also have to create static route on the dc what defines a path to the other network.

                        Originally posted by plawlor View Post
                        also is it possible to make the script to display the username ?
                        Sure, by replacing the first part of the script (all code above the line with quotes '''' that is) with,
                        Code:
                        'Important, Prepare script first with:  Const STRINGS = 0
                        'see post: http://forums.petri.com/showthread.php?p=253233#post253233
                        
                        'Author: Remco Simons (NL, 2012)
                        
                        ' Note.. Becarefull, this sample script is using the name of the currently
                        ' logged-on user to find the oject in an other AD that has the same NT-name
                        
                        ' Edit the correct values in sub routine 'askUserToEnterNewPassword';
                        '  !  Specify name or ip address of a domain controller in the (remote) domain
                        '  !  Specify the distinguished name of the (remote)domain
                        
                        
                        Option Explicit
                        Const STRINGS = 0
                        Const MIN_PW_Length = 8
                        
                        Dim strDNSDomain, strServer, WshNetwork, CurrentUser, randomPW
                        
                        ' Specify the distinguished name of the domain.
                        strDNSDomain = "dc=domain,dc=LOCAL"
                        
                        ' Specify name or ip of a Domain Controller.
                        strServer = "192.168.10.11"
                        
                        ' Retrieve login name of the current user.
                        Set WshNetwork = WScript.CreateObject("WScript.Network")
                        
                        CurrentUser = WshNetwork.UserName
                        
                        rem ---------
                        'JUST for testing purpose, the name of a test user is hard coded. It over writes the name of the current user,
                        CurrentUser = "mytestaccount"
                        '~(remove these red line after testing)~
                        rem ---------
                        
                        
                        Sub askUserToEnterNewPassword
                           Dim x
                           'Ask user to enter new password or to accept the suggested pw
                           Do
                           strPassword = trim(inputBox(vbNewline _
                             & "Enter a password" & vbNewline _
                             & "(or you can accept the suggested password below)", _
                             "Reset the password of " & CurrentUser & " in AD", randomPW))
                           If Len(strPassword) = 0 then
                             x = MsgBox (vbNewline & vbNewline & _
                             "Do you like to end without changing your password", _
                             4+256+32+4096, "Quit Yes/No")
                             If x = vbYes Then wscript.quit
                           ElseIf Len(strPassword) < MIN_PW_Length then
                             wscript.echo "password minimal required charaters is " & MIN_PW_Length
                           Else
                             exit Do
                           End If
                           Loop
                        End Sub
                        
                        Sub UserAllowedToChangePassword
                           Const ADS_SECURE_AUTHENTICATION = &H1
                           Const ADS_SERVER_BIND = &H200
                        
                           Dim s : s = arrSTRINGS
                           Dim adoRecordset, adoCommand, adoConnection, strQuery
                           Dim strBase, strFilter, strAttributes, objUser, strDN
                        
                           On Error Resume Next
                        
                           ' Use ADO to search Active Directory.
                           Set adoCommand = CreateObject("ADODB.Command")
                           Set adoConnection = CreateObject("ADODB.Connection")
                           adoConnection.Provider = "ADsDSOObject"
                           adoConnection.Properties (next1)=s(1)
                           adoConnection.Properties (next2)=s(2)
                           adoConnection.Properties("Encrypt Password") = True
                           adoConnection.Properties("ADSI Flag") = ADS_SERVER_BIND _
                             Or ADS_SECURE_AUTHENTICATION
                           adoConnection.Open "Active Directory Provider"
                           Set adoCommand.ActiveConnection = adoConnection
                        
                           ' Search entire domain.
                           strBase = "<LDAP://" & strServer & "/" & strDNSDomain & ">"
                        
                           ' Search for all users.
                           strFilter = "(&(objectCategory=person)(objectClass=user)" _
                                     & "(sAMAccountname=" & CurrentUser & "))"
                        
                           ' Comma delimited list of attribute values to retrieve.
                           strAttributes = "distinguishedName"
                        
                           ' Construct the LDAP query.
                           strQuery = strBase & ";" & strFilter & ";" _
                             & strAttributes & ";subtree"
                        
                           ' Run the query.
                           adoCommand.CommandText = strQuery
                           adoCommand.Properties("Page Size") = 100
                           adoCommand.Properties("Timeout") = 30
                           adoCommand.Properties("Cache Results") = False
                           Set adoRecordset = adoCommand.Execute
                        
                           ' Enumerate the resulting recordset.
                           Do Until adoRecordset.EOF
                             ' Retrieve values.
                             strDN = adoRecordset.Fields("distinguishedName").Value
                        
                           Set objUser = GetObject("LDAP:").OpenDSObject("LDAP://" & strServer _
                              & "/" & strDN, s(1), s(2), ADS_SECURE_AUTHENTICATION)
                        
                           Do : Err.Clear
                             If strPassword = "" then askUserToEnterNewPassword
                        
                             objUser.SetPassword(strPassword)
                             If err.Number = 0 Then
                               exit Do
                             ElseIf err.Number = -2147022651 Then
                               wscript.echo "error code: " & HEX(-2147022651) & vbNewline _
                                    & "The password does not meet the password complexity requirements."
                             Else
                               wscript.echo "Error code:", Hex(err.Number), _
                                            "("& err.Number &")" & vbNewline _
                                            & Err.Description, Err.Source
                             End If
                             strPassword = empty
                           Loop
                        
                           Set objUser = Nothing
                        
                           adoRecordset.MoveNext
                           Loop
                        
                           ' Clean up.
                           adoRecordset.Close
                           adoConnection.Close 
                        
                           wscript.quit
                        End Sub
                        
                        Dim oRE, strPassword, next1, next2
                        
                        Set oRE = New Regexp
                        oRE.Pattern = "." : oRE.Global = True
                        next1 = "User ID" : next2 = "Password"
                        If Left(STRINGS,2) = "0x" Then
                           randomPW = generatePassword ( MIN_PW_Length )
                           askUserToEnterNewPassword
                           UserAllowedToChangePassword
                        Else
                           Quit
                        End If
                        
                        
                        
                        ''''''''''''''''''''''''''''''''''''''


                        Originally posted by plawlor View Post
                        I am actually trying the script on the same VLAN before putting it on campus machine, which is where I am getting the error from

                        I now have a different error, can't remember what I changed what I changed to this error, but I do remember installing the script encode on the machine, after i got that first error.

                        Error Code: 46 (70)
                        Permission denied Microsoft VBScript runtime error
                        The error indicates that the special account does not have permissions to change the password of the current user in AD. Check whether or not the current user is in the correct OU, re-check the delegation of control on this OU. Or else make sure the script is still using the alternate credentials, maybe that you have change something in that part of the script.


                        /Rems
                        Last edited by Rems; 9th February 2012, 20:11.

                        This posting is provided "AS IS" with no warranties, and confers no rights.

                        __________________

                        ** Remember to give credit where credit's due **
                        and leave Reputation Points for meaningful posts

                        Comment


                        • #13
                          Re: change password... without knowning current

                          Hi

                          Apologies not getting back sooner, been rather busy with other stuff.
                          I have not been able to have some free time for this script, but hopefully in the next few weeks.

                          Comment

                          Working...
                          X