How do I change passwords of all users? 1

[kiv]

Please help, I need to change the passwords of all users simultaneously. I'm not sure how I go about this.
Reason:
The students are taking an exam using their pcs.
After students have completed exams, we want to change all their passwords so that students cannot logon later to change their exams.

Thanks

 

[wazzup2474]

go in to add and check off force password change at next logon

 

[Teknoratti]

If I am not mistaken, the resetting of passwords cannot be done on a mass basis, only one by one. Unless there is a script out there that would be able to do something like this.

 

[58sniper]

I'm not aware of a way to do AD account en masse short of some really fancy VB scripting.

You CAN do local accounts on PCs en masse via login script (user or machine).

But you've peaked my interest and I'm off to find a method!

Pat Richard, MCSE(2) MCSA:Messaging, CNA(2)

 

[nsantin]

...we want to change all their passwords so that students cannot logon later to change their exams."

Sounds like you want to disable the user accounts, not change the password. This you can do in bulk, you can also setup the accounts to automatically expire at a certain time.

 

[Teknoratti]

Good call nsantin.

Now that can be done on a mass basis.

Maybe he has a situation where he is constantly shuffling one student group in, then the next, and so on. I think he wants to be able to shuffle a group in, give them the password to logon, then after they finish change the logon password to something else for the next batch.

Of course Im just assuming, and you know what they say about assumptions...You'll make an ass and the ump will shun you.

 

[kiv]

Thanks to all your replys, I've found a simple solution using a batch file. Here it is:

@Echo Exam User Password Change Utility
@Echo.
@Echo ...................................................................
@Echo.
@Echo.
@Echo.
@Echo.
@Echo.
@set /p Pword= Enter the new password:



dsmod user "cn=User01,ou=exam,ou=students,ou=hsg users,dc=hsg,dc=local" -pwd %Pword%
dsmod user "cn=User02,ou=exam,ou=students,ou=hsg users,dc=hsg,dc=local" -pwd %Pword%
dsmod user "cn=User03,ou=exam,ou=students,ou=hsg users,dc=hsg,dc=local" -pwd %Pword%
dsmod user "cn=User04,ou=exam,ou=students,ou=hsg users,dc=hsg,dc=local" -pwd %Pword%

 

[markdmac]

Create a text file called ulist.txt and have one student login per line. Save that file int he same location as this script. Execute while logged in as admin.

You need to customize the script. You have the option of forcing the user to change password on next login (after you tell them their new temporary password) or keeping the password. I advise forcing the change so that all passwords are not the same.

'==========================================================================
'
' NAME: ResetPasswordFromList.vbs
'
' AUTHOR: Mark D. MacLachlan , The Spider's Parlor
' URL: [URL unfurl="true"]http://www.thespidersparlor.com[/URL]
' DATE  : 3/4/2005
'
' COMMENT: reads a list of users and resets the passwords.
'
'==========================================================================
On Error Resume Next
Dim objuser, newpass, UserLDAP, lngFlag
Const ADS_UF_DONT_EXPIRE_PASSWD = &H10000

'open the file system object
Set oFSO = CreateObject("Scripting.FileSystemObject")
set WSHShell = wscript.createObject("wscript.shell")
'open the data file
Set oTextStream = oFSO.OpenTextFile("ulist.txt")
'make an array from the data file
UserList = Split(oTextStream.ReadAll, vbNewLine)
'close the data file
oTextStream.Close
For Each oUser In UserList

	Set objuser = "LDAP://" & SearchDistinguishedName(oUser)
	
	newpass = "NewPasswordHere"
	'Require User to change password at next logon? Y Or N
	changenextlogin = "Y"
	 
	objUser.SetPassword newpass
	
	If changenextlogin <> "N" Then
	    objUser.Put "PwdLastSet", 0
	End If
	
	objUser.SetInfo
	
	lngFlag = objUser.Get("userAccountControl")
	If (lngFlag And ADS_UF_DONT_EXPIRE_PASSWD) <> 0 Then
	lngFlag = lngFlag Xor ADS_UF_DONT_EXPIRE_PASSWD
	objUser.Put "userAccountControl", lngFlag
	objUser.SetInfo
	End If
Next


Public Function SearchDistinguishedName(ByVal vSAN)
    ' Function:     SearchDistinguishedName
    ' Description:  Searches the DistinguishedName for a given SamAccountName
    ' Parameters:   ByVal vSAN - The SamAccountName to search
    ' Returns:      The DistinguishedName Name
    ' Thanks to Tek-Tips user Kob3 for this function.
    Dim oRootDSE, oConnection, oCommand, oRecordSet

    Set oRootDSE = GetObject("LDAP://rootDSE")
    Set oConnection = CreateObject("ADODB.Connection")
    oConnection.Open "Provider=ADsDSOObject;"
    Set oCommand = CreateObject("ADODB.Command")
    oCommand.ActiveConnection = oConnection
    oCommand.CommandText = "<LDAP://" & oRootDSE.get("defaultNamingContext") & _
        ">;(&(objectCategory=User)(samAccountName=" & vSAN & "));distinguishedName;subtree"
    Set oRecordSet = oCommand.Execute

    On Error Resume Next
    SearchDistinguishedName = oRecordSet.Fields("DistinguishedName")
    On Error GoTo 0
    oConnection.Close
    Set oRecordSet = Nothing
    Set oCommand = Nothing
    Set oConnection = Nothing
    Set oRootDSE = Nothing
End Function

I hope you find this post helpful.

Regards,

Mark

 

[58sniper]

Cool stuff, Mark -

I have a question - how would we tie this to a single OU? Two reasons why I ask:
1. testing. I'd like to run this against a test OU
2. scalability. I'd like to only run this against a specific OU when needed.

Thanks!

Pat Richard, MCSE(2) MCSA:Messaging, CNA(2)

 

[markdmac]

Just feed the script the names of users from the OU in question.

The reason I have this use a user list is to ensure that resource accounts or accounts used for services don't get the password reset automatically.

I hope you find this post helpful.

Regards,

Mark

 

[58sniper]

Mark -

I'm pretty green when it comes to vbs. What format do I list the users in the .txt file? I'm using just the account name, such as 'test1', but that doesn't seem to work.

Thanks!

Pat Richard, MCSE(2) MCSA:Messaging, CNA(2)

 

[PScottC]

The list would be in the form of

User1
User2
User3
etc...

If you're having trouble make sure that the user list is in the same folder as the script and that you are logged in with administrative rights.

If you continue to have trouble, try changing this line

">;(&(objectCategory=User)(samAccountName=" & vSAN &

to this...

">;(&(object[b]Class[/b]=User)(samAccountName=" & vSAN &

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers

 

[schtek]

if i may have my 2 pennies a while back in a post there was a program mentioned "limit login" from microsoft, type it in google you will find the link.

you say you want to mass change passwords for students, i have my students in OU's if you select all the accounts in the OU you wish to change and right click properties on the options in limit login is a button to change the passwords it can be used in mass

would this help instead of a script even though it is a good script

Stand up wherever you are, go to the nearest window and yell as loud as you can, 'I'm mad as hell, and I'm not going to take it anymore.'

 

[58sniper]

Okay - I tried it with the line changed and I'm still not getting anything.

Test environment: 1 Windows 20003 Enterprise Server w/ SP1. Client is XP Pro SP2. Script is running via a TS session to the server while logged in as the domain admin. OU contains three users: test1, test2, and test3. Text file is in the same folder as the script, and contains (pasted from file):
test1
test2
test3

I run the script, and it doesn't report any problems, yet the password is not changed, and the "user must change password at next logon" box is not checked (assuming it should be based on the changenextlogin = "Y" parameter). I don't see any errors in the event logs.

BTW - schtek - I did look into that, but that's not what I'm really after.

Pat Richard, MCSE(2) MCSA:Messaging, CNA(2)

 

[58sniper]

Anyone?

Pat Richard, MCSE(2) MCSA:Messaging, CNA(2)

 

[markdmac]

Pat, are you logged onto the server when running this? Are you logged on with Admin rights?

you may have a rapping problem from your copy paste. Check that. Try changing this:

oCommand.CommandText = "<LDAP://" & oRootDSE.get("defaultNamingContext") & _
">;(&(objectCategory=User)(samAccountName=" & vSAN & "));distinguishedName;subtree"

to this (as 1 long line of code):

oCommand.CommandText = "<LDAP://" & oRootDSE.get("defaultNamingContext")>;(&(objectCategory=User)(samAccountName=" & vSAN & "));distinguishedName;subtree"

I hope you find this post helpful.

Regards,

Mark

 

[58sniper]

That didn't work, as it gives me an error. I sent you an email about it.

Thanks

Pat Richard, MCSE(2) MCSA:Messaging, CNA(2)