لطفا منتظر باشید ...
Hack 26 Manage User Accounts in Active Directory
Use these five handy scripts to easily manage
domain user accounts.
While the usual way of managing user accounts in Active
Directory is to use the Active Directory Users and Computers (ADUC)
console, that GUI approach to managing accounts can be tedious if
your organization is large and you have many accounts to manage. This
hack provides examples of scripts you can use to simplify things and
speed up common administrative tasks, and I think
you'll find them quite useful. You can even use some
of them to delegate certain tasks to nonadministrators to save you
time and trouble.
To use one of these scripts, type it into Notepad (with Word Wrap
turned off) and save it with a .vbs extension.
Then, type cscript.exe
scriptname.vbs
from a command prompt, or create a shortcut to the script
and double-click on the shortcut to run the script.
Changing a User's Domain Password
This simple script allows you to
give others the ability to change end
users' passwords without having to install the
administration tools. The script prompts for the domain, username,
and new password, and notifies the user of whether the password
change was successful:
Dim UserName
Dim UserDomain
UserDomain = InputBox("Enter the user's domain:")
UserName = InputBox("Enter the user's login name:")
Set User = GetObject("WinNT://" & UserDomain & "/"& UserName &",user)
Dim NewPassword
NewPassword = InputBox("Enter new password")
Call User.SetPassword(NewPassword)
If err.number = 0 Then
Wscript.Echo "The password change was successful."
Else
Wscript.Echo "The password change failed!"
End if
Changing User Account Names in Active Directory
Using VBScript, changing a
user's account name in
the Active Directory is a quick process:
Set oDomain = GetObject("WINNT:\\domainname")
Set oUser = oDomain.GetObject("originalusername")
oDomain.MoveHere oUser.AdsPath, "newusername"You just need to connect to the specific domain (as indicated in the
first line), set the original username (the second line), and then
change the username using the MoveHere method (the
third line). This is a much simpler process than opening up the MMC
and either navigating to the username or searching the Active
Directory for the account instances.
A script like this is extremely useful for occasions when names
change due to things like marriage, or when the user just
can't stand the name they were given for logging in.
Customize the script with the appropriate domain name
(domainname), the user's
old account name (originalusername), and
the user's new account name
(newusername).
Unlocking a Windows 2000 Domain Account
Need a quick and easy way to unlock a Windows 2000 domain account?
Use VBScript. The following script prompts for the username, then the
user's domain, and unlocks the specified account:
UserName = InputBox("Enter the user's login name that you want to unlock:")
DomainName = InputBox("Enter the domain name in which the user account exists:")
Set UserObj = GetObject("WinNT://"& DomainName &"/"& UserName &")
If UserObj.IsAccountLocked = -1 then UserObj.IsAccountLocked = 0
UserObj.SetInfo
If err.number = 0 Then
Wscript.Echo "The Account Unlock Failed. Check that the account is, " & _
"in fact, locked-out."
Else
Wscript.Echo "The Account Unlock was Successful"
End ifDisabling a Domain Account
Use this handy VBScript to quickly disable a user
account in the specified domain. This script prompts for the username
and domain and then disables the account you specify:
Dim Username
Dim UserDomain
UserDomain = InputBox("Enter the user's domain:")
UserName = InputBox("Enter the user's login name:")
Set UserObj = GetObject("WinNT://" & UserDomain & "/" & Username &)
UserObj.AccountDisabled = True
UserObj.SetInfo
Set UserObj = Nothing
Setting the Account to Not Expire
This handy script configures a
user account to not expire. The
script works by setting the expiration date attribute to a past date:
Set objUser = GetObject _
("LDAP://cn=yourcontainer,ou=yourOU,dc=yourDC,dc=com")
objUser.AccountExpirationDate = "01/01/1970"
objUser.SetInfo
To use the script, customize the second line as desired. For example,
if the user account for user Bob Smith resides in the
Sales OU in the mtit.com
domain, this line should be changed to:
("LDAP://cn=Bob Smith,ou=Sales,dc=mtit,dc=com")Be judicious in deciding which accounts should be set to not expire,
as such accounts could pose a security risk. See [Hack #29] for a quick way to
search for such accounts on your network.
Rod Trent
