Announcement

Collapse
No announcement yet.

Help with AD Script for setting password never expires

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Help with AD Script for setting password never expires

    So I've just been tasked with setting the "Password Never Expires" for our "TS Users" group on a WS2003 AD, I've been trying to modify this code -->

    Code:
    Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
    strOU = "ou=TS Users"
    strDomain = "pls.com"
    
    set objRootDSE = GetObject("LDAP://"&strDomain&"/RootDSE")
    set objParent = GetObject("LDAP://"&strOU&","(objRootDSE.Get("defaultNamingContext")))
    
    intUAC = objUser.Get("userAccountControl")
    objParent.Filter = Array("user")
    
    for each objUser in objParent
      If ADS_UF_DONT_EXPIRE_PASSWD AND intUAC Then
      else
         objUser.Put "userAccountControl", intUAC XOR ADS_UF_DONT_EXPIRE_PASSWD
      objUser.SetInfo
      end if
    next
    But can't get it work for some reason, would any one mind telling me where I went wrong? My newbness at VBS smacks me hard.
    Last edited by Managor; 4th October 2010, 17:52.
    "To err is human but to really **** things up requires a computer user..."

    "The path to enlightenment is /user/bin/enlightenment"

    A+ CE

  • #2
    Re: Help with AD Script for setting password never expires

    well, to start with, does it give you any errors ?
    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

    Comment


    • #3
      Re: Help with AD Script for setting password never expires

      Sorry guess that would help, was being rushed into a meeting.

      On current state, it gives me the error on

      Line:6
      Char:1
      Type Mismatch: '[string: ","]'
      Last edited by Managor; 4th October 2010, 17:49.
      "To err is human but to really **** things up requires a computer user..."

      "The path to enlightenment is /user/bin/enlightenment"

      A+ CE

      Comment


      • #4
        Re: Help with AD Script for setting password never expires

        looks like you could be using the wrong speech marks etc in the wrong place..

        at first glance .. (i'm not a great scripter though)
        Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

        Comment


        • #5
          Re: Help with AD Script for setting password never expires

          So I changed to this code

          Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000

          Set objUser = GetObject _
          ("LDAP://cn=pls.com,ou=TS Users,dc=pls,dc=com")
          intUAC = objUser.Get("userAccountControl")

          If ADS_UF_DONT_EXPIRE_PASSWD AND intUAC Then
          Wscript.Echo "Already enabled"
          Else
          objUser.Put "userAccountControl", intUAC XOR _
          ADS_UF_DONT_EXPIRE_PASSWD
          objUser.SetInfo
          WScript.Echo "Password never expires is now enabled"
          End If
          Line:3
          Char1:
          No such object on the server.




          This is driving me bonkers.
          Last edited by Managor; 4th October 2010, 21:47.
          "To err is human but to really **** things up requires a computer user..."

          "The path to enlightenment is /user/bin/enlightenment"

          A+ CE

          Comment


          • #6
            Re: Help with AD Script for setting password never expires

            You've split line 3 and 4 so its getting confused.
            Should have combined both (without the _) to give
            Set objUser = GetObject ("LDAP://cn=pls.com,ou=TS Users,dc=pls,dc=com")
            Tom Jones
            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
            PhD, MSc, FIAP, MIITT
            IT Trainer / Consultant
            Ossian Ltd
            Scotland

            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment


            • #7
              Re: Help with AD Script for setting password never expires

              So I think I've got the CN part wrong, the path of the group I want to change is
              pls.com/pls/TS Users/

              - This is my current code.

              Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000

              Set objUser = GetObject ("LDAP://cn=pls,ou=TS Users,dc=pls,dc=com")
              intUAC = objUser.Get("userAccountControl")

              If ADS_UF_DONT_EXPIRE_PASSWD AND intUAC Then
              Wscript.Echo "Already enabled"
              Else
              objUser.Put "userAccountControl", intUAC XOR ADS_UF_DONT_EXPIRE_PASSWD
              objUser.SetInfo
              WScript.Echo "Password never expires is now enabled"
              End If

              ---Something I also just thought about, I want to make it so they can't change their passwords either.
              Last edited by Managor; 5th October 2010, 16:09.
              "To err is human but to really **** things up requires a computer user..."

              "The path to enlightenment is /user/bin/enlightenment"

              A+ CE

              Comment


              • #8
                Re: Help with AD Script for setting password never expires

                Originally posted by Managor View Post
                So I think I've got the CN part wrong, the path of the group I want to change is
                Code:
                pls.com/pls/TS Users/
                If "TS Users" is the name of a Group - and that group is in the "pls" Organization Unit, then the LDAP ADsPath should be,
                Code:
                Set objGroup = GetObject("LDAP://cn=TS Users,ou=pls,dc=pls,dc=com")
                Note, the object is type Group (and is not an 'User'). To get to the users who are member of the group, enumerate members of this group.

                Code:
                '-----------------------------------------------------------------------
                ' This script enables ADS_UF_DONT_EXPIRE_PASSWD
                ' also enables ADS_UF_PASSWD_CANT_CHANGE
                ' for users who are a direct member of the group 'TS Users'
                '-----------------------------------------------------------------------
                
                Const ADS_UF_DONT_EXPIRE_PASSWD           = &h10000
                Const CHANGE_PASSWORD_GUID                = "{ab721a53-1e2f-11d0-9819-00aa0040529b}"
                Const ADS_RIGHT_DS_CONTROL_ACCESS         = &H100
                ' Const ADS_ACETYPE_ACCESS_DENIED         = &H1
                ' Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5
                Const ADS_ACETYPE_ACCESS_DENIED_OBJECT    = &H6
                Const ADS_ACEFLAG_OBJECT_TYPE_PRESENT     = &H1
                
                Dim oACESelf, oACEEveryone : Call CreateACEs  ' what can be used for enabling ADS_UF_PASSWD_CANT_CHANGE
                
                Set objGroup = GetObject("LDAP://cn=TS Users,ou=pls,dc=pls,dc=com")
                
                For each objMember in objGroup.Members
                   objMember.GetInfo
                   If objMember.sAMAccountType = 805306368 Then
                
                ''''''''''''''''''''''''''''''''''''''''''''''''''''''
                     intUAC = objMember.Get("userAccountControl")
                
                     If ADS_UF_DONT_EXPIRE_PASSWD AND intUAC Then
                       Wscript.Echo objMember.cn, "ADS_UF_DONT_EXPIRE_PASSWD was enabled"
                       rem '# Disable ADS_UF_DONT_EXPIRE_PASSWD
                       rem objMember.Put "userAccountControl", intUAC XOR ADS_UF_DONT_EXPIRE_PASSWD
                       rem objMember.SetInfo
                       rem Wscript.Echo objMember.cn, "ADS_UF_DONT_EXPIRE_PASSWD is now disabled"
                
                     Else
                       WScript.Echo objMember.cn, "ADS_UF_DONT_EXPIRE_PASSWD was disabled"
                       '# Enable ADS_UF_DONT_EXPIRE_PASSWD
                       objMember.Put "userAccountControl", intUAC XOR ADS_UF_DONT_EXPIRE_PASSWD
                       objMember.SetInfo
                       Wscript.Echo objMember.cn, "ADS_UF_DONT_EXPIRE_PASSWD is now enabled"
                     End If 
                
                ''''''''''''''''''''''''''''''''''''''''''''''''''''''
                     Set objSD = objMember.Get("nTSecurityDescriptor")
                     Set objDACL = objSD.DiscretionaryAcl
                
                     '--- Determine whether or not ADS_UF_PASSWD_CANT_CHANGE is enabled
                     For Each Ace In objDACL
                       If ((Ace.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT) And _
                         (LCase(Ace.ObjectType) = CHANGE_PASSWORD_GUID)) Then
                           blnACEPresent = True
                       End If
                     Next
                
                     If blnACEPresent Then
                       Wscript.Echo objMember.cn, "ADS_UF_PASSWD_CANT_CHANGE was enabled"
                       rem '# Disable ADS_UF_PASSWD_CANT_CHANGE
                       rem arrTrustees = Array("nt authority\self", "everyone")
                       rem For Each strTrustee In Array("nt authority\self", "everyone")
                       rem     For Each ace In objDACL
                       rem       If(LCase(ace.Trustee) = strTrustee) Then
                       rem         If((ace.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT) And _
                       rem           (LCase(ace.ObjectType) = CHANGE_PASSWORD_GUID)) Then
                       rem             objDACL.RemoveAce ace
                       rem         End If
                       rem       End If
                       rem     Next
                       rem Next
                       rem objMember.Put "nTSecurityDescriptor", objSD
                       rem objMember.SetInfo
                       rem Wscript.Echo objMember.cn, "ADS_UF_PASSWD_CANT_CHANGE is now disabled"
                
                     Else
                       Wscript.Echo objMember.cn, "ADS_UF_PASSWD_CANT_CHANGE was disabled"
                       '# Enable ADS_UF_PASSWD_CANT_CHANGE
                       '--- Get this objects Security Descriptor
                       Set oSecDescriptor = objMember.Get("ntSecurityDescriptor")
                                                                                 
                       '--- Get the Discretionary ACL ---
                       Set oDACL = oSecDescriptor.DiscretionaryAcl
                                                                                 
                       '-- Add our new ACEs and replace DACL---
                       oDACL.AddAce oACESelf
                       oDACL.AddAce oACEEveryone
                                                                                 
                       ' -- Put the Security Descriptor back on the object --
                       objMember.Put "ntSecurityDescriptor", oSecDescriptor
                       objMember.SetInfo
                       Wscript.Echo objMember.cn, "ADS_UF_PASSWD_CANT_CHANGE is now enabled"
                     End If
                ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
                
                   End If
                Next
                
                wscript.quit
                
                
                Sub CreateACEs  ' Will be used for enabling ADS_UF_PASSWD_CANT_CHANGE
                 ' WARNING: The sample code does not reorder the Access Control Entries (ACEs).
                 '    The programmer must set the correct order of ACEs in a security
                 '    descriptor. Correct order, known as "cannonicalization of the ACL,"
                 '    requires (among other things) that all "deny" ACEs are listed before
                 '    all "allow" ACEs in the ACL.
                 '    http://support.microsoft.com/kb/301287
                
                   Set oACESelf = CreateObject("AccessControlEntry")
                   Set oACEEveryone = CreateObject("AccessControlEntry")
                                                                                                
                   '-- Create the Access Control Entry for Self---
                   oACESelf.Trustee = "NT AUTHORITY\SELF"
                   oACESelf.AceFlags = 0
                   oACESelf.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT
                   oACESelf.Flags = ADS_ACEFLAG_OBJECT_TYPE_PRESENT
                   oACESelf.ObjectType = CHANGE_PASSWORD_GUID
                   oACESelf.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS
                                                                                 
                   ' --- Create the Access Control Entry for Everyone---
                   oACEEveryone.Trustee = "EVERYONE"
                   oACEEveryone.AceFlags = 0
                   oACEEveryone.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT
                   oACEEveryone.Flags = ADS_ACEFLAG_OBJECT_TYPE_PRESENT
                   oACEEveryone.ObjectType = CHANGE_PASSWORD_GUID
                   oACEEveryone.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS
                End Sub
                \Rems

                This posting is provided "AS IS" with no warranties, and confers no rights.

                __________________

                ** Remember to give credit where credit's due **
                and leave Reputation Points for meaningful posts

                Comment


                • #9
                  Re: Help with AD Script for setting password never expires

                  Rems, you're amazing.
                  "To err is human but to really **** things up requires a computer user..."

                  "The path to enlightenment is /user/bin/enlightenment"

                  A+ CE

                  Comment

                  Working...
                  X