Discussion:
User managament in AD
(too old to reply)
MarcusB
2010-03-05 11:43:50 UTC
Permalink
I need simple script for our secretary for resetting password, account
expiration.
She do not belong to account operator group therefore I need that script
will be run as another user with rights to change user password etc.
User and passwor dcould be encoded in script.
Is there any ready script? It will be nice if script will check if
account exist and will allow reset password by writing it two
times(avoid mistakes)

Doeas any of you have already such vbs script?

Regards
Raff
Al Dunbar
2010-03-06 01:17:09 UTC
Permalink
Post by MarcusB
I need simple script for our secretary for resetting password, account
expiration.
She do not belong to account operator group therefore I need that script
will be run as another user with rights to change user password etc. User
and passwor dcould be encoded in script.
Is there any ready script? It will be nice if script will check if
account exist and will allow reset password by writing it two times(avoid
mistakes)
Doeas any of you have already such vbs script?
Embedding the credentials of a member of the account operator group in a
script is more of a risk than giving the secretary exclusive use of an
operator account created for her and making her accountable for its use.

If a password were to be changed by your script, you would not have any idea
who actually made the change. And even if the password was not stored in
plain text, its presence would be a liability.

/Al
MarcusB
2010-03-08 14:03:01 UTC
Permalink
I do not think it is a bigger risk to embedding creddencials in the
script. I am encrypting whole script and you can not read it contents
and she/he to start the script have to know the password, because script
ask also for password before running.



Hot to embed credentials to be able to run objUser.SetInfo,. How to make
script understand that it is different user than the user running the
script?


MarcusB
Post by Al Dunbar
Post by MarcusB
I need simple script for our secretary for resetting password, account
expiration.
She do not belong to account operator group therefore I need that
script will be run as another user with rights to change user password
etc. User and passwor dcould be encoded in script.
Is there any ready script? It will be nice if script will check if
account exist and will allow reset password by writing it two
times(avoid mistakes)
Doeas any of you have already such vbs script?
Embedding the credentials of a member of the account operator group in a
script is more of a risk than giving the secretary exclusive use of an
operator account created for her and making her accountable for its use.
If a password were to be changed by your script, you would not have any
idea who actually made the change. And even if the password was not
stored in plain text, its presence would be a liability.
/Al
Al Dunbar
2010-03-09 02:52:33 UTC
Permalink
Post by MarcusB
I do not think it is a bigger risk to embedding creddencials in the
script. I am encrypting whole script and you can not read it contents
If you are encrypting with screnc.exe that will certainly make it difficult
to read - but NOT impossible for a determined hacker to decrypt it. Read the
first paragraph here:

http://www.microsoft.com/downloads/details.aspx?FamilyId=E7877F67-C447-4873-B1B0-21F0626A6329&displaylang=en
Post by MarcusB
and she/he to start the script have to know the password, because script
ask also for password before running.
what password does it ask for? If it is a password hardcoded in the script,
the determined hacker will know it. If it is the password of the privileged
account you are using, why not just have your user run the script with
runasÉ
Post by MarcusB
Hot to embed credentials to be able to run objUser.SetInfo,. How to make
script understand that it is different user than the user running the
script?
If the user has to input a password anyway, the simplest would be to have
the user run the script with runas. Easiest would be to have a batch file
build the runas command - the only input from the user would then be the
password of the account being run as.
Post by MarcusB
MarcusB
Post by Al Dunbar
Post by MarcusB
I need simple script for our secretary for resetting password, account
expiration.
She do not belong to account operator group therefore I need that
script will be run as another user with rights to change user password
etc. User and passwor dcould be encoded in script.
Is there any ready script? It will be nice if script will check if
account exist and will allow reset password by writing it two
times(avoid mistakes)
Doeas any of you have already such vbs script?
Embedding the credentials of a member of the account operator group in a
script is more of a risk than giving the secretary exclusive use of an
operator account created for her and making her accountable for its use.
If a password were to be changed by your script, you would not have any
idea who actually made the change. And even if the password was not
stored in plain text, its presence would be a liability.
/Al
MarcusB
2010-03-10 09:38:09 UTC
Permalink
What I want is that script will be run by persson who do not have
"Administrator Account" rights. I will give to that persson login and
password with such a rights. I want that script will ask for login and
password and than run it with this credentials. How to do it?
I do not need include login and password in the script if it so big risk
aacording you.

MarcusB
Post by Al Dunbar
Post by MarcusB
I do not think it is a bigger risk to embedding creddencials in the
script. I am encrypting whole script and you can not read it contents
If you are encrypting with screnc.exe that will certainly make it
difficult to read - but NOT impossible for a determined hacker to
http://www.microsoft.com/downloads/details.aspx?FamilyId=E7877F67-C447-4873-B1B0-21F0626A6329&displaylang=en
Post by MarcusB
and she/he to start the script have to know the password, because
script ask also for password before running.
what password does it ask for? If it is a password hardcoded in the
script, the determined hacker will know it. If it is the password of the
privileged account you are using, why not just have your user run the
script with runasÉ
Post by MarcusB
Hot to embed credentials to be able to run objUser.SetInfo,. How to
make script understand that it is different user than the user running
the script?
If the user has to input a password anyway, the simplest would be to
have the user run the script with runas. Easiest would be to have a
batch file build the runas command - the only input from the user would
then be the password of the account being run as.
Post by MarcusB
MarcusB
Post by Al Dunbar
Post by MarcusB
I need simple script for our secretary for resetting password, account
expiration.
She do not belong to account operator group therefore I need that
script will be run as another user with rights to change user password
etc. User and passwor dcould be encoded in script.
Is there any ready script? It will be nice if script will check if
account exist and will allow reset password by writing it two
times(avoid mistakes)
Doeas any of you have already such vbs script?
Embedding the credentials of a member of the account operator group in a
script is more of a risk than giving the secretary exclusive use of an
operator account created for her and making her accountable for its use.
If a password were to be changed by your script, you would not have any
idea who actually made the change. And even if the password was not
stored in plain text, its presence would be a liability.
/Al
Al Dunbar
2010-03-11 01:23:58 UTC
Permalink
Post by MarcusB
What I want is that script will be run by persson who do not have
"Administrator Account" rights. I will give to that persson login and
password with such a rights.
Just so we are clear, if you give a person who does not have administrator
rights the account name and password of an account that has administrator
rights (or just account manager rights) then they do have administrator
rights.

If you give a user a sufficiently privileged account name and password for
the purpose of running a script such as you are looking for, and, if you do
not want that person to logon to that account interactively, you will have
to do something to prevent that account from logging in interactively
Post by MarcusB
I want that script will ask for login and password and than run it with
this credentials. How to do it?
I do not need include login and password in the script if it so big risk
aacording you.
As I said previously, "Easiest would be to have a batch file build the runas
command". Here is an example you might be able to adapt to your needs:

@echo off
(set/p adminuser=Enter name of privileged account: )
runas /user:%adminuser% "%~dpn0.vbs"

If you put the above script in a file called, for example, "setpass.cmd" it
will first ask the user to enter the name of the privileged account to be
used. The runas command will prompt for the password of this account, and,
if entered correctly, will run a script called "setpass.vbs" located in the
same folder under the credentials of the privileged account.

If it does not work as I suggest it should, you might need to try some of
the options of the runas command.

/Al
Post by MarcusB
MarcusB
Post by Al Dunbar
Post by MarcusB
I do not think it is a bigger risk to embedding creddencials in the
script. I am encrypting whole script and you can not read it contents
If you are encrypting with screnc.exe that will certainly make it
difficult to read - but NOT impossible for a determined hacker to
http://www.microsoft.com/downloads/details.aspx?FamilyId=E7877F67-C447-4873-B1B0-21F0626A6329&displaylang=en
Post by MarcusB
and she/he to start the script have to know the password, because
script ask also for password before running.
what password does it ask for? If it is a password hardcoded in the
script, the determined hacker will know it. If it is the password of the
privileged account you are using, why not just have your user run the
script with runasÉ
Post by MarcusB
Hot to embed credentials to be able to run objUser.SetInfo,. How to
make script understand that it is different user than the user running
the script?
If the user has to input a password anyway, the simplest would be to
have the user run the script with runas. Easiest would be to have a
batch file build the runas command - the only input from the user would
then be the password of the account being run as.
Post by MarcusB
MarcusB
Post by Al Dunbar
Post by MarcusB
I need simple script for our secretary for resetting password, account
expiration.
She do not belong to account operator group therefore I need that
script will be run as another user with rights to change user password
etc. User and passwor dcould be encoded in script.
Is there any ready script? It will be nice if script will check if
account exist and will allow reset password by writing it two
times(avoid mistakes)
Doeas any of you have already such vbs script?
Embedding the credentials of a member of the account operator group in a
script is more of a risk than giving the secretary exclusive use of an
operator account created for her and making her accountable for its use.
If a password were to be changed by your script, you would not have any
idea who actually made the change. And even if the password was not
stored in plain text, its presence would be a liability.
/Al
kj [SBS MVP]
2010-03-23 22:05:11 UTC
Permalink
Post by MarcusB
What I want is that script will be run by persson who do not have
"Administrator Account" rights. I will give to that persson login and
password with such a rights. I want that script will ask for login and
password and than run it with this credentials. How to do it?
I do not need include login and password in the script if it so big
risk aacording you.
MarcusB
Create a security group for password resets and delegate the right via the
wizard at the OU level necessary. then just add the user (secretary) to the
group and be done with it. Her auditable action will show up in the logs and
no need to code anything or any such effort.

Person runs your script under their account and password gets reset
accordingly. - just as simple as that.
Post by MarcusB
Post by Al Dunbar
Post by MarcusB
I do not think it is a bigger risk to embedding creddencials in the
script. I am encrypting whole script and you can not read it
contents
If you are encrypting with screnc.exe that will certainly make it
difficult to read - but NOT impossible for a determined hacker to
http://www.microsoft.com/downloads/details.aspx?FamilyId=E7877F67-C447-4873-B1B0-21F0626A6329&displaylang=en
Post by MarcusB
and she/he to start the script have to know the password, because
script ask also for password before running.
what password does it ask for? If it is a password hardcoded in the
script, the determined hacker will know it. If it is the password of
the privileged account you are using, why not just have your user
run the script with runasÉ
Post by MarcusB
Hot to embed credentials to be able to run objUser.SetInfo,. How to
make script understand that it is different user than the user
running the script?
If the user has to input a password anyway, the simplest would be to
have the user run the script with runas. Easiest would be to have a
batch file build the runas command - the only input from the user
would then be the password of the account being run as.
Post by MarcusB
MarcusB
Post by Al Dunbar
Post by MarcusB
I need simple script for our secretary for resetting password,
account expiration.
She do not belong to account operator group therefore I need that
script will be run as another user with rights to change user
password etc. User and passwor dcould be encoded in script.
Is there any ready script? It will be nice if script will check if
account exist and will allow reset password by writing it two
times(avoid mistakes)
Doeas any of you have already such vbs script?
Embedding the credentials of a member of the account operator
group in a script is more of a risk than giving the secretary
exclusive use of an operator account created for her and making
her accountable for its use. If a password were to be changed by your
script, you would not
have any idea who actually made the change. And even if the
password was not stored in plain text, its presence would be a
liability. /Al
--
/kj
Loading...