User account properties

[davetherave100]

Wonder if anyone can help
Is there any way to edit the properties of a group of users in an OU...i need to;
a) Reset all their passwords to a default one at times
b) Change their profile paths
c) Change their home directory location paths

This applies to 4000 users so individual changes make my fingers a bit tired


Thanks in advance

 

[waynemaples]

Dave

there is never a reason to set passwords to a common or default one. I suspect that is why no one answered.
If you have admin privileges on the OU, use group policies. -Wayne
ContentMaster
Tips for NT/W2K/XP Admins and Users
Penetration Testing Tips for Admins

http://is-it-true.org

 

[davetherave100]

Well i know what you mean with the 'no reason', but for us it has been handy to do that at times.
We have about 4000 student accounts, all is fine till the summer break and then come september all the students arrive back...of course they have forgot their passwords......for us it was simpler to reset all the passwords to a default one for a clean start. Some users could guess a log on if they wanted to and log in with the default password but it wouldnt really gain them much, so we could live with that.
So what about profile path....if we need to move all the profiles or home directories for some reason..no more highlight all users, right click and properties \\server\%username%...it seems i have to now go into each account and edit manually?

 

[walshy]

You will have to charge $10 to reset the passwords, then no matter how much beer and sex they have had they will remember.

Also I wouldn't like my password reset just because the star quarterback can't remember his password.

 

[waynemaples]

Dave,

You have just given me an example of a legitimate environment where one "must" reset passwords back to a default. You can use various scripting languages to reset passwords if you have admin privileges. There are APIs for this in VB. I prefer Perl.

There are resource kit utilities that can be automated to change passwords also.

-Wayne -Wayne
ContentMaster
Tips for NT/W2K/XP Admins and Users
Penetration Testing Tips for Admins

http://is-it-true.org

 

[davetherave100]

Thanks for that...i'm not well up on the VB so ill have a look at the utilities, it just seemed strange how you could do it in NT4, but not now.

So profile paths and home directory locations again could be scripted?

Dave

 

[hankins1984]

you can use nt4 user manager tio reset all the password,we use it all the time Matthew Hankins

Network Technicain @ DGI Hereford

 

[SnoopDog]

If you have the windows 2000 resource kit, you will find a script named "modifyusers.vbs". This cscript allows you to change various attributes on users, one of which is the password. Having never used it for this purpose, I just tested it, and it works perfectly. The syntax is as follows.

Cscript ModifyUsers.vbs LDAP://OU=test,DC=Mydomain,DC=com password:NewPassword /all

Description: If you have not set the default script to Cscript, then you need to put that on your command line first. The ADSpath that follows Modifyusers.vbs can drill down as far as needed, just get the syntax correct. In my example, the test OU is at the first level, and my domain is mydomain.com. ADSI edit is shortcut to getting it perfect the first time. The next item is the attribute or attributes one is changing. In this case I am only changing the users passwords in the OU to all be Newpassword. The /all switch causes it to change all user passwords in the OU. One more note, I am assumming you are running with privleges on the OU to change the passwords. I usually run as administrator. The script will allow you to put a user name and password in the command line to use if you do not have privleges with the logged on account. I have never tried it that way. The help file for this that shippes with the resource kit is rscrpts.chm. It does not appear by default.

 

[davetherave100]

Thanks for your help above
One other thing...does anyone know how i can put share and security permissions onto folders from a script or something?...at present i am manually sharing folders of the 4000 users who have a home directory.
All i have is a csv file with the home directory folder names, which is the same name as the users who need to share it.
Created the folders no problem, but as to sharing and security permissions, ive no idea how to do that in an automated way.
Any help here would be MUCH appreciated!

Dave

 

[hankins1984]

There is a DOS Commad "" cacls. This changes the file security permissions. Just go to a command prompt and type

CACLS /?

That should give you all the help you need,if not i will help you out. Matthew Hankins

Network Technicain @ DGI Hereford

 

[davetherave100]

Thanks very much for that...the only other part is to put a share with rights on the folder first?
Im assuming that the users home directory does need to be a network share.
Some say 'everyone' full control on the share permissions and then file permissions to restrict access.
We have in the past put admins to full control, user to change on the share permissions and file security permissions.
Do you think that is not needed?
We like our users not to be able to see into the other users folders.
So if there is a command to share folders that would be of great help.

Thanks Matthew

 

[hankins1984]

aslong as the file permisions are set to the correct level then the share levels do not matter,the file permisions override the share permisions. If you want i have a script that makes users,adds shares and set permisions,you can have it and edit it to set the shares and the permisions if you want? Matthew Hankins

Network Technicain @ DGI Hereford

 

[davetherave100]

Yes that would be great thanks
Could you send to dave_the_rave100@hotmail.com ?
Ive just been playing and found what you said about the file and share permissions.
So the only tiny problem there is now is how do you bypass the 'yes, no' question on the file permissions cacls command for a batch change, and how do you batch share a folder to 'share ' as the folder name?

Thanks again

 

[hankins1984]

the command is for example:

cacls c:\docs\username /e /r everyone /g username:f

thats is for a batch script,there is no prompting.

then @the end of the batch script add

calcs c:\docs\* /e /g administrator:f

If you email me a list of all you users and where you store the files, eg: c:\ d:\, d:\docs c:\docs,etc.
I will make you the script.

My email is mhankins@dgihereford.co.uk

cheers Matthew Hankins

Network Technicain @ DGI Hereford

 

[davetherave100]

Thanks for the offer Matthew, but youve done enough on my problem!, time for me to work.
I think i should be fine with that..i hadnt got /E, i was using cacls d:\userdata /p user:c admin:f
I gues it was because i was replacing security and not editing the reason why i had the prompt.

Saved me loads of time!
Thanks

 

[mannion]

Hi,

Rather Late advice but I see Hankins has told you to use calcs which is old you should use xcalcs made for windows 2000, found on the windows 2000 resource kit, or if you go to

http://www.microsoft.com/downloads/release.asp?ReleaseID=38806&area=search&ordinal=12

you can download it from here!!

Hope This helps

James Mannion
Network Administrator
Mannion@whitecross.hereford.sch.uk

 

[hankins1984]

Mannion as alwasy you are late in,your network would be ppants if i didnt call round all the time,lol Matthew Hankins

Network Technicain @ DGI Hereford

 

[davetherave100]

Well im gratefull to you both
So go on then which one of you knows how to assign shares to a folder from some sort of command?

 

[hankins1984]

i do,would u like 2 know Matthew Hankins

Network Technicain @ DGI Hereford

 

[davetherave100]

very much so...