modifiying ad account properties - PowerShellCommunity.org - Windows PowerShell Discussion Forums - Using PowerShell

Forums > Using PowerShell > Active Directory

modifiying ad account properties

Last Post 17 Jan 2008 12:21 PM by Brandon Shell [MVP]. 9 Replies.

Sort:

	Prev Next
You are not authorized to post a reply.

Author

Messages

yefimovah

New Member
Posts:24
Avatar

16 Jan 2008 01:40 PM
Hi, I've run into a problem, I'm currrently creating a self help web page that will allow specific users (Team Managers) within my company, non-IT folks to be able to unlock and reset accounts for their team members. When my test user runs my script below, they have success in unlocking the accounts and changing the password, however, the below block of code doesn't appear to work in my script . An error is displayed saying that access to run the setinfo(0) is denied. $UserObject = (Get-QADUser $SelectedUser).dn $ObjUser = [ADSI]"LDAP://$UserObject" $ObjUser.Put("pwdLastSet", 0) $ObjUser.setInfo() I've supplied the whole script below to see it in context. This script will be called by non-itadmin folks, can someone help me out please? ---------------------------------------------------------------------------------------------------------------------------------- # Unlock user account using ResetAccount.ps1 -SelectedUser stringvalue param ([string]$SelectedUser) Add-PSSnapin Quest.ActiveRoles.ADManagement $pw = ConvertTo-SecureString "password" -asplaintext -force Connect-QADService -Service "dc01.ham.co.nz:389" -ConnectionAccount "Domain\User" -ConnectionPassword $pw $strCNName = (Get-QADUser $SelectedUser).UserPrincipalName Unlock-QADUser $strCNName Set-QADUser $SelectedUser -UserPassword "PASSWORD" # Force password to be changed at next logon $UserObject = (Get-QADUser $SelectedUser).dn $ObjUser = [ADSI]"LDAP://$UserObject" $ObjUser.Put("pwdLastSet", 0) $ObjUser.setInfo() Disconnect-QADService

Brandon Shell [MVP] User is Offline

Basic Member
Posts:396
Avatar

16 Jan 2008 01:49 PM
I am certain not everyone is going to have write permission on that property. Have you delegated control of that attribute?

Brandon Shell ---------------- Microsoft Powershell MVP https://mvp.support.microsoft.com/profile/Brandon Blog: http://www.bsonposh.com

yefimovah

New Member
Posts:24
Avatar

16 Jan 2008 01:54 PM
I've not gone down the road of delegating that attribute. Would like to somehow run that block of code with elevated priviledges if possible.

Brandon Shell [MVP] User is Offline

Basic Member
Posts:396
Avatar

16 Jan 2008 01:57 PM
You can elevate, but your going to have to store creds in a file or something like that.

Brandon Shell ---------------- Microsoft Powershell MVP https://mvp.support.microsoft.com/profile/Brandon Blog: http://www.bsonposh.com

yefimovah

New Member
Posts:24
Avatar

16 Jan 2008 02:00 PM
Brendon, Can you please show me how to do that? I'm assuming that I can hide the file and it'll still work, correct? thanks Anatoli

Brandon Shell [MVP] User is Offline

Basic Member
Posts:396
Avatar

16 Jan 2008 02:32 PM
what you have to do is use ConvertTo-SecureString and ConvertFrom-SecureString or you can use I dont have anything ready for you now, but you have a few options 1) wait till tonight (will try to write something and blog it) 2) wait to see if someone else has a solution for you 3) play with the these CMDLets and see what you can get going. If you decide to do this your self... some words of wisdom 1) You want to use a -Key for ConvertTo and ConvertFrom. The default uses syskey i.e. $key = (3,4,2,3,56,34,254,222,1,1,2,23,42,54,33,233,1,34,2,7,6,5,35,43) PS> convertfrom-securestring $pass -key $key 2) Use ConvertFrom-SecureString to put in a file and ConvertTo-SecureString to convert back to Securestring. 3) you can use read-host -assecurestring to get the securestring

Brandon Shell ---------------- Microsoft Powershell MVP https://mvp.support.microsoft.com/profile/Brandon Blog: http://www.bsonposh.com

Brandon Shell [MVP] User is Offline

Basic Member
Posts:396
Avatar

16 Jan 2008 02:39 PM
Here is an example. Please dont use this key its from the help file $PasswordforFile = Read-Host -AsSecureString $key = (3,4,2,3,56,34,254,222,1,1,2,23,42,54,33,233,1,34,2,7,6,5,35,43) ConvertFrom-SecureString -SecureString $PasswordforFile -key $key \| out-file C:\temp\SecurePasswordfile $SecureTextFromFile = Get-Content C:\temp\SecurePasswordfile $password = ConvertTO-SecureString $SecureTextFromFile -key $key # to see what you wrote use this function function GetSecurePass ($SecurePassword) { $Ptr = [System.Runtime.InteropServices.Marshal]::SecureStringToCoTaskMemUnicode($SecurePassword) $password = [System.Runtime.InteropServices.Marshal]:trToStringUni($Ptr) [System.Runtime.InteropServices.Marshal]::ZeroFreeCoTaskMemUnicode($Ptr) $password } GetSecurePass $password

Brandon Shell ---------------- Microsoft Powershell MVP https://mvp.support.microsoft.com/profile/Brandon Blog: http://www.bsonposh.com

yefimovah

New Member
Posts:24
Avatar

16 Jan 2008 02:48 PM
I'd be happy to wait until tonight. regards, Anatoli

Brandon Shell [MVP] User is Offline

Basic Member
Posts:396
Avatar

17 Jan 2008 07:00 AM
Here is the blog post http://bsonposh.com/modules/wordpress/?p=66 Even though I state it in the blog I want say it again here... This is really NOT secure. Anyone that has the key can read the password. I will probably do a followup post that will explain how to do it in a more secure fashion, but that could be a bit. I hope at least this helps understand convertTO/From-Securestring CMDLets

Brandon Shell ---------------- Microsoft Powershell MVP https://mvp.support.microsoft.com/profile/Brandon Blog: http://www.bsonposh.com

Brandon Shell [MVP] User is Offline

Basic Member
Posts:396
Avatar

17 Jan 2008 12:21 PM
FYI... Jaykul wrote a script to do this a little more securely http://powershellcentral.com/scripts/116

Brandon Shell ---------------- Microsoft Powershell MVP https://mvp.support.microsoft.com/profile/Brandon Blog: http://www.bsonposh.com

You are not authorized to post a reply.

Forums > Using PowerShell > Active Directory

Active Forums 4.3