AD User Tool: Bulk AD User

gjacobse

As part of a pending security change - all User accounts will be forced to change their passwords. It's likely they have not been done in more than two years.

Other than a PS script - which I don't PS,.. how is the best way to do this? One resource I found mentioned Bulk AD User

http://www.wisesoft.co.uk/software/bulkadusers/default.aspx

Has anyone heard of /used this before?

And the obvious issue is that you have to exclude SYSTEM accounts so things don't go Bork.

DustinB3403

I'd use powershell . . .

https://gallery.technet.microsoft.com/scriptcenter/Reset-password-for-all-412fbc72#content

gjacobse

@DustinB3403 said in AD User Tool: Bulk AD User:

I'd use powershell . . .

https://gallery.technet.microsoft.com/scriptcenter/Reset-password-for-all-412fbc72#content

You did see the part where I don't PS.... right?

DustinB3403

@gjacobse said in AD User Tool: Bulk AD User:

@DustinB3403 said in AD User Tool: Bulk AD User:

I'd use powershell . . .

https://gallery.technet.microsoft.com/scriptcenter/Reset-password-for-all-412fbc72#content

You did see the part where I don't PS.... right?

Of course I did, but everything is written out on that site. It'd be super simple to do this.

gjacobse

For those that PS here is what I think I need to do for the actual reset command. I have two OUs

Set-OSCADAccountPassword -OrganizationUnti "NYusers" "VAusers" -Password "somepasswordhardstring" -CSVPath "c:\report\result.csv"

coliver

Let me get to a computer. This is a two line ps script that can be knocked out in a few minutes. If you're doing Windows administration you really should be learning powershell. Nothing else really grants you the same... Power as it does for Windows.

Deleted74295

@gjacobse said

Other than a PS script - which I don't PS,

Then you are 10 years behind everyone else.

1.0 came out November 2006. - With additional versions MS and many vendors have been encouraging its usage. Its such a powerful tool, even if you just learn the basic cmds so you can understand what -get does, you can look up commands online.

dbeato

Well, I am assuming you have setup a password expiration policy? If so, it will be as easy as selecting all the users in AD through RSAT and make sure their password never expires check box is not checked. They should be prompted to chnage the next time they try to login on the computers.

joelbarlow40

You can try the following command

Specify the OU

$OU = [ADSI]"LDAP://ou=West,dc=MyDomain,dc=com"

Enumerate all objects in the OU.

$arrChildren = $OU.Get_Children()
ForEach ($User In $arrChildren)
{
# Only consider user objects.
If ($User.Class -eq "user")
{
# Set password.
$User.Invoke("SetPassword", "pAs$w0rd")
# Expire the password.
$User.pwdLastSet = 0
$User.SetInfo()
}
}

Also, you can check the following link for more details.

https://technet.microsoft.com/en-us/library/ee617195.aspx

Dashrender

@dbeato said in AD User Tool: Bulk AD User:

Well, I am assuming you have setup a password expiration policy? If so, it will be as easy as selecting all the users in AD through RSAT and make sure their password never expires check box is not checked. They should be prompted to chnage the next time they try to login on the computers.

Why is this an assumption? Frequent forced password changes actually defeat security more often than help it. I suppose you could have a yearly change requirement, but is that even needed if you are using otherwise good passwords?

NIST recently rewrote their password recommendations getting rid of the change suggestion and password complexity components. Sadly I don't think they recommended long enough passwords - 8 characters.
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf

JackCPickup

Any reason you can't bulk select in AD and tick the option to force change on next logon? Are there just that many different OUs that it'd take ages?

dbeato

@Dashrender If there is no password expiration policy unchecking the password never expires will not have much effect as far as I remember. I usually setup a password change GPO based on HIPAA guidelines.

Dashrender

@dbeato said in AD User Tool: Bulk AD User:

@Dashrender If there is no password expiration policy unchecking the password never expires will not have much effect as far as I remember. I usually setup a password change GPO based on HIPAA guidelines.

Sure, but so what? He wants to force a change now.

dbeato

@Dashrender Then, he needs to force it with Powershell no just a GUI....

Dashrender

@dbeato said in AD User Tool: Bulk AD User:

@Dashrender Then, he needs to force it with Powershell no just a GUI....

Agreed.