change password… without knowning current

Home Forums Microsoft Networking and Management Services Active Directory change password… without knowning current

This topic contains 12 replies, has 3 voices, and was last updated by Avatar plawlor 7 years, 4 months ago.

Viewing 13 posts - 1 through 13 (of 13 total)
  • Author
    Posts
  • Avatar
    plawlor
    Member
    #157623

    Hi,

    Working for the University, and I work in a certain department… we get lots and lots of students saying their lost the password, or forgotten it, or whatever else it.

    Students have two accounts, a campus wide account, and then our department account.

    So currently, I have 3 Domain Controllers, 2 2k3, and 1 2k8, with 2k3 being FSMO.
    Students log into Novell Servers on the campus.
    Students log into Active Directory in our Department.

    My idea if possible to do is….
    btw, they have the same username on both campus and departmental machines.

    So, they login into their campus account on the machine, then I want this machine to load up something that will allow them to change their current password without them even knowing it…

    This is because we get about 10 students per every week.

    But, we want them to login into a machine, machine loads a script, webpage or something that allows them to change their active directory password without them knowing their current password.

    So does something like this exist or be implemented?

    Many thanks

    Avatar
    Rems
    Moderator
    #228127

    Re: change password… without knowning current

    Any solution implicit that everyone can change other’s password too and can access his/herprivate data, are you sure that is what you want?

    To give user ‘Reset Password’ permissoons you should edit the permissions on the user objects – ADD the reset password permissions to SELF (http://forums.petri.com/showthread.php?p=244480#post244480)

    /Rems

    Avatar
    plawlor
    Member
    #249774

    Re: change password… without knowning current

    Well, we only want them to change their own password only, but without them knowing what the current password is.

    Ok,

    Students on campus (the university) have an account such as ‘acp11abc’, they also have a account on our AD ‘acp11abc’ in our department.

    This machine has campus login, so students login with their campus account first, machine says “ok you’re acp11abc, you now can change your AD password for acp11abc’

    And only allows that user to change their own account’s password, without knowing their AD password.

    So basically, it is secure

    Avatar
    Rems
    Moderator
    #228130

    Re: change password… without knowning current

    Instead giving the students permissions to reset his/her own password Delegate control to a new created group in AD. Allow this group “Reset passwords” for all user account in an OU (remove the “and force password change at next logon” permision manually afterwards).

    Create a new dedicated user account and make it member of the group.
    Use the credentials of this account to authenticate with a DC (server bind with alternate credentials), then this acount resets the password of the user in AD that has the same logon name as the cutrrenly logged-on user.

    I can help writing a vbs script. The vbs script will be saved locally on the computer(s) and run as a User logonscript.

    The script can eighter ask the user to enter a new password (but this could give problems if the entered password is not matching the password policies of the domain), or the script generates a complex password and the user does not know this password. The choice depends on what the user like to do in the domain.
    If it just is for accessing a file server in the domain I would choose the latter, then the script binds to the file server using the credentials of the student. It can map a drive.

    Note! the credentials of the account that conncets to ADO will be visible in plain text in the script.

    /Rems

    Avatar
    plawlor
    Member
    #249775

    Re: change password… without knowning current

    OK, I be so happy if you can help me with this.
    I don’t know anything about vbs,

    I do have password policies enabled,
    8 characters+
    and complexity

    The students logging to windows 7, linux, and webserver, and file servers, that all authenticate to the AD…

    But that, we only want the user to login into the ‘campus’ machine, vbs script to reset his/her password, and then log out of the machine… then user will start using his/her new password on the normal departmental machines, which includes Windows 7, Linux, Webservers, File Servers… etc, they all authenticate to the windows AD.

    many thanks for this

    Avatar
    Rems
    Moderator
    #228131

    Re: change password… without knowning current

    OK,
    it is going to be a script that I cannot test completely from here. But I am positive it will work, and also run on windows computers that are not member of the domain but able to find a specified dc over the netwerk in the other domain.

    Firstly you should create a new security group in AD (i.e. ALLOW_RESET_USER_PASSWORDS )
    After that, Right click on the OU where the objects of the aimed users are housed.
    and select Delegate Control
    add the group you just created to delegate control to.
    Next, check the task “Reset user passwords and force password change at next logon
    click Next/Finish to complete.

    IMPORTANT ! : force password change at next logon is what actually you do not want to happen, therefore
    Right click the same OU again and select Properties.
    (make sure the view ‘Avanced Features’ was checked in advance).
    At the Properties windows of the OU go to the tab “Security”
    click the “Advanced” button.
    Notice that the group you just added is being listed twice in the list.
    Edit the one entry that give to this group Read and Write “PwdLastSet” permissions – You should at leased untick “Write PwdLastSet” (you can untick both).
    So… The group should just given the permision to Reset passwords, that is what
    is being done with the other entry.
    And it must be disallowed to change the PwdLastSet attribute, that is what you just take care off.
    Finally create a dedicated new user account, its credentials will be hardcoded in the script. The credentials will be used for making the connection to AD and reset the user’s password when the script is started.
    Make this new account a member of the group jou created earlier.

    I will post the script when it is finished. Because vbs scripts are plain text files and the credentials of the dedicated account required to be coded in the script I current am playing with the code how to make it less obvious that actually alternate credentials are used in there. Additionally also like to hide the credentials in one string that is converted to hexadecimal (optionally it would be possible to store the hexadecimal sting, containing the credentials, locally in the registry instead of in the script itself). Finally it is recommend to encode the entire script using Windows Script Encoder) or to compile it to an exe file.
    I should inform that scripts acutally should never contain credentials of a powerfull account. If a user find out credentials were coded there somewhere in the script, and realy like to discover them, I am sure s/he will be succesefull at the end.

    /Rems

    Avatar
    Ossian
    Moderator
    #186053

    Re: change password… without knowning current

    Just wondering….
    The students LOG INTO their campus machine…. then they say they have LOST their password (paraphrase of original post)

    Sounds as if user education is more important than a “solution” that will just encourage lazyness!

    Avatar
    Rems
    Moderator
    #228135

    Re: change password… without knowning current

    Here is the script (attachted as txt file to this post, because it’d be to long if I past it here. After dowload change the extension to .vbs)

    Please read prerequirements for delegation of the reset password task and further notes here: http://forums.petri.com/showpost.php?p=253170&postcount=6

    The script is using alternate credentials to authenticate with a defined domain controler in the defined domain.
    (is making a ‘server bind’ to use ADO, as explained here http://www.rlmueller.net/ADOAltCredentials.htm)

    Mind the Const STRINGS = 0 at the beginning of the file!
    It should have the value zero when running the script for the first time. On the first run it will ask you for the domain name, username and password of the decicated account that has permisions to reset password. The script now returns a code line.
    Copy the line and replace the current line Const STRINGS = 0 with the new line.
    After that the script is ready to use. It is better though to encode or even better to encrypt or compile the vbs file to exe (not by creating a simple selfextracting-selfinstalling exe file of course). (Additionally it is possible Use NTFS Alternate Data Streams to hide the entire file from the file system and protecting this way the content even more).

    Users can execute the script via a shortcut or launcher, or it can run as logon script.

    After the first run, you could clean up some functions from the script if you like.

    /Rems

    Avatar
    plawlor
    Member
    #249776

    Re: change password… without knowning current

    Many thanks Rems,

    Currently, I get a error
    Windows Script Host
    Error Code: 1A8 (424)
    Object Required Microsoft VBSScript runtime error.

    So I am not sure if I got the domain name, server name, correct.
    But I just thought on, if won’t actually work because of different VLAN’s, and ‘domain’ won’t be seen on campus, only works within our departments network, although, I probably can get a ‘campus’ machine to work within our departments VLAN, that will authenticate to the campus network, but that’s another step.

    But I do have another solution to solve this,
    by not using campus machine.. but rather using a webpage.

    SSL, They login to one of our department webpages that authenticates them towards campus servers, then something on the webpage that says ‘you’re abc, heres a list of things you can do’ i.e ‘reset password’

    But that be using cgi, perl, or something so no code will be seen, as it’s on the backend.

    will get the vbs to work anyway, any help on the error code though?

    Many thanks

    Avatar
    Rems
    Moderator
    #228136

    Re: change password… without knowning current

    plawlor;253369 wrote:
    Many thanks Rems,

    Currently, I get a error
    Windows Script Host
    Error Code: 1A8 (424)
    Object Required Microsoft VBSScript runtime error.

    So I am not sure if I got the domain name, server name, correct.

    will get the vbs to work anyway, any help on the error code though?

    Many thanks

    The campus computer should be able to contact the dc of course. Is the dc pingable from the campus pc?
    If you copied the script and only have changed the dn of the domain and ip or name of the dc then the error mostlikely indicates the specified dc cannot be found or there is a typo in the dn name of the domain.

    /Rems

    Avatar
    plawlor
    Member
    #249777

    Re: change password… without knowning current

    I can ping DC.dcs.name.xx.uk
    Can’t ping DC.DOMAIN.dcs.name.xx.uk
    On campus machine,

    I can ping DC.dcs.name.xx.uk
    and DC.DOMAIN.dcs.name.xx.uk
    on same VLAN machine.

    But I am actually trying the script on the same VLAN before putting it on campus machine, which is where I am getting the error from

    I now have a different error, can’t remember what I changed what I changed to this error, but I do remember installing the script encode on the machine, after i got that first error.

    Error Code: 46 (70)
    Permission denied Microsoft VBScript runtime error

    also is it possible to make the script to display the username ?

    Avatar
    Rems
    Moderator
    #228137

    Re: change password… without knowning current

    Make sure the name of the dc can be resolved on the campus network. And if there is no routing configured between both networks then of course you can’t run the script from a campus machine, If there is.. then you might also have to create static route on the dc what defines a path to the other network.

    plawlor;253423 wrote:
    also is it possible to make the script to display the username ?

    Sure, by replacing the first part of the script (all code above the line with quotes ”” that is) with,

    Code:
    ‘Important, Prepare script first with: Const STRINGS = 0
    ‘see post: http://forums.petri.com/showthread.php?p=253233#post253233

    ‘Author: Remco Simons (NL, 2012)

    ‘ Note.. Becarefull, this sample script is using the name of the currently
    ‘ logged-on user to find the oject in an other AD that has the same NT-name

    ‘ Edit the correct values in sub routine ‘askUserToEnterNewPassword’;
    ‘ ! Specify name or ip address of a domain controller in the (remote) domain
    ‘ ! Specify the distinguished name of the (remote)domain

    Option Explicit
    Const STRINGS = 0
    Const MIN_PW_Length = 8

    Dim strDNSDomain, strServer, WshNetwork, CurrentUser, randomPW

    ‘ Specify the distinguished name of the domain.
    strDNSDomain = “dc=[COLOR=”Magenta”]domain[/COLOR],dc=[COLOR=”magenta”]LOCAL[/COLOR]”

    ‘ Specify name or ip of a Domain Controller.
    strServer = “[COLOR=”magenta”]192.168.10.11[/COLOR]”

    ‘ Retrieve login name of the current user.
    Set WshNetwork = WScript.CreateObject(“WScript.Network”)

    CurrentUser = WshNetwork.UserName

    [COLOR=”Red”]rem ———
    ‘JUST for testing purpose, the name of a test user is hard coded. It over writes the name of the current user,
    [SIZE=”3″][B]CurrentUser = “mytestaccount”[/B]
    ‘~(remove these red line after testing)~[/SIZE]
    rem ———
    [/COLOR]

    Sub askUserToEnterNewPassword
    Dim x
    ‘Ask user to enter new password or to accept the suggested pw
    Do
    strPassword = trim(inputBox(vbNewline _
    & “Enter a password” & vbNewline _
    & “(or you can accept the suggested password below)”, _
    “Reset the password of ” & CurrentUser & ” in AD”, randomPW))
    If Len(strPassword) = 0 then
    x = MsgBox (vbNewline & vbNewline & _
    “Do you like to end without changing your password”, _
    4+256+32+4096, “Quit Yes/No”)
    If x = vbYes Then wscript.quit
    ElseIf Len(strPassword) < MIN_PW_Length then
    wscript.echo "password minimal required charaters is " & MIN_PW_Length
    Else
    exit Do
    End If
    Loop
    End Sub

    Sub UserAllowedToChangePassword
    Const ADS_SECURE_AUTHENTICATION = &H1
    Const ADS_SERVER_BIND = &H200

    Dim s : s = arrSTRINGS
    Dim adoRecordset, adoCommand, adoConnection, strQuery
    Dim strBase, strFilter, strAttributes, objUser, strDN

    On Error Resume Next

    ' Use ADO to search Active Directory.
    Set adoCommand = CreateObject("ADODB.Command")
    Set adoConnection = CreateObject("ADODB.Connection")
    adoConnection.Provider = "ADsDSOObject"
    adoConnection.Properties (next1)=s(1)
    adoConnection.Properties (next2)=s(2)
    adoConnection.Properties("Encrypt Password") = True
    adoConnection.Properties("ADSI Flag") = ADS_SERVER_BIND _
    Or ADS_SECURE_AUTHENTICATION
    adoConnection.Open "Active Directory Provider"
    Set adoCommand.ActiveConnection = adoConnection

    ' Search entire domain.
    strBase = "”

    ‘ Search for all users.
    strFilter = “(&(objectCategory=person)(objectClass=user)” _
    & “(sAMAccountname=” & CurrentUser & “))”

    ‘ Comma delimited list of attribute values to retrieve.
    strAttributes = “distinguishedName”

    ‘ Construct the LDAP query.
    strQuery = strBase & “;” & strFilter & “;” _
    & strAttributes & “;subtree”

    ‘ Run the query.
    adoCommand.CommandText = strQuery
    adoCommand.Properties(“Page Size”) = 100
    adoCommand.Properties(“Timeout”) = 30
    adoCommand.Properties(“Cache Results”) = False
    Set adoRecordset = adoCommand.Execute

    ‘ Enumerate the resulting recordset.
    Do Until adoRecordset.EOF
    ‘ Retrieve values.
    strDN = adoRecordset.Fields(“distinguishedName”).Value

    Set objUser = GetObject(“LDAP:”).OpenDSObject(“LDAP://” & strServer _
    & “/” & strDN, s(1), s(2), ADS_SECURE_AUTHENTICATION)

    Do : Err.Clear
    If strPassword = “” then askUserToEnterNewPassword

    objUser.SetPassword(strPassword)
    If err.Number = 0 Then
    exit Do
    ElseIf err.Number = -2147022651 Then
    wscript.echo “error code: ” & HEX(-2147022651) & vbNewline _
    & “The password does not meet the password complexity requirements.”
    Else
    wscript.echo “Error code:”, Hex(err.Number), _
    “(“& err.Number &”)” & vbNewline _
    & Err.Description, Err.Source
    End If
    strPassword = empty
    Loop

    Set objUser = Nothing

    adoRecordset.MoveNext
    Loop

    ‘ Clean up.
    adoRecordset.Close
    adoConnection.Close

    wscript.quit
    End Sub

    Dim oRE, strPassword, next1, next2

    Set oRE = New Regexp
    oRE.Pattern = “.” : oRE.Global = True
    next1 = “User ID” : next2 = “Password”
    If Left(STRINGS,2) = “0x” Then
    randomPW = generatePassword ( MIN_PW_Length )
    askUserToEnterNewPassword
    UserAllowedToChangePassword
    Else
    Quit
    End If

    ”””””””””””””””””””

    plawlor;253423 wrote:
    I am actually trying the script on the same VLAN before putting it on campus machine, which is where I am getting the error from

    I now have a different error, can’t remember what I changed what I changed to this error, but I do remember installing the script encode on the machine, after i got that first error.

    Error Code: 46 (70)
    Permission denied Microsoft VBScript runtime error

    The error indicates that the special account does not have permissions to change the password of the current user in AD. Check whether or not the current user is in the correct OU, re-check the delegation of control on this OU. Or else make sure the script is still using the alternate credentials, maybe that you have change something in that part of the script.

    /Rems

    Avatar
    plawlor
    Member
    #249778

    Re: change password… without knowning current

    Hi

    Apologies not getting back sooner, been rather busy with other stuff.
    I have not been able to have some free time for this script, but hopefully in the next few weeks.

Viewing 13 posts - 1 through 13 (of 13 total)

You must be logged in to reply to this topic.