[BATCH/CMD] Reset a user's AD password, send email - Automated

[0phoi5]

Hi all,

Here's a nice script, entirely in a batch file, that ;

• Prompts for input of a user's Full Name and Email Address
• Sets their password to a random string of uppercase, lowercase and numerical characters.
• Generates an email to send to them, with their new password.

Notes;

• Length of the password can be set using the line Set _RNDLength=
• Whether user has to reset their password on logging in can be set with -mustchpwd
• Amend OU= and DC= for your own companie's domain.

@echo off

:Start
    endlocal
echo.
echo This script will reset the password for a user, using their Full Name,
echo and then generate the email to be sent to them.
echo.
echo Passwords are automatically set as 10 digits, using lowercase,
echo uppercase and numbers.
echo.
echo.
echo.
    set /p "DisplayName= Full Name : %=%"
echo.
echo.
    set /p "EmailAddress= Email : %=%"
cls

    Setlocal EnableDelayedExpansion
        Set _RNDLength=10
        Set _Alphanumeric=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789
        Set _Str=%_Alphanumeric%987654321
:_LenLoop
    IF NOT "%_Str:~18%"=="" SET _Str=%_Str:~9%& SET /A _Len+=9& GOTO :_LenLoop
        SET _tmp=%_Str:~9,1%
        SET /A _Len=_Len+_tmp
        SET _count=0
        SET _RndAlphaNum=
:_loop
        SET /a _count+=1
        SET _RND=%Random%
        SET /A _RND=_RND%%%_Len%
        SET _RndAlphaNum=!_RndAlphaNum!!_Alphanumeric:~%_RND%,1!
    If !_count! lss %_RNDLength% goto _loop

            dsmod user "CN=%DisplayName%,OU=[OU],DC=[DC],DC=co,DC=uk" -pwd !_RndAlphaNum! -mustchpwd no

IF ERRORLEVEL 0 (
    GOTO SendEmail
) ELSE (
    echo.
    echo Failed.
    echo.
    Pause
    GOTO Start
)

:SendEmail
        start "" "mailto:%EmailAddress%?subject=Password%%20Reset&body=Hello,%%0D%%0A%%0D%%0AYour%%20AD%%20password%%20has%%20been%%20reset%%20to%%20!_RndAlphaNum!%%0D%%0A%%0D%%0AKind Regards,%%0D%%0A%%0D%%0AYour%%20Name"

cls
    GOTO Start

Email generated looks like this;

Hello,

Your AD password has been reset to kD5Xjfd8A6

Kind Regards,

Your Name

This saves me some time at work when we get loads of emails asking for password resets for AD accounts. Takes 30 seconds instead of a few minutes.

Edited January 14, 2016 by haze1434

[Dice]

And how are they going to read that mail; while they need a password reset to access their mail ?

[0phoi5]

And how are they going to read that mail; while they need a password reset to access their mail ?

We have a lot of users that have accounts in different domains / use VPN / use Citrix.

They have multiple email addresses.

We also have users who get emails pushed to mobiles, which I believe doesn't require the same credentials, as it comes directly from an exchange server.

It would be pretty easy to set up another method to send them the password, just amend :SendEmail.

Edited January 14, 2016 by haze1434

[sud0nick]

You should consider using the User Principle Name rather than the Full Name. There are many people within my AD environment that have the same name, middle initial too, and the only way to tell them apart is by the UPN. Why did you choose batch over PowerShell for this script?

[0phoi5]

You should consider using the User Principle Name rather than the Full Name. There are many people within my AD environment that have the same name, middle initial too, and the only way to tell them apart is by the UPN. Why did you choose batch over PowerShell for this script?

Thank you, good point. I'll look in to that and amend the code.

I chose batch as I don't yet know Powershell

[sud0nick]

You should look into PowerShell. It's much easier and far more powerful than batch. I think you'll enjoy it.

[cooper]

Can't you replace the use of the _LenLoop label and associated GOTO with a nice FOR loop?

[0phoi5]

Will update this script soon guys, sorry. Work is hectic, might be off the forum a few days.

[White Light]

Can't you replace the use of the _LenLoop label and associated GOTO with a nice FOR loop?

You can easily do that if you know the reasonable maximum for the length of string (like 512).

@echo off
setlocal enabledelayedexpansion
set /p "in=Input: "
set len=1
set #=%in%
for %%a in (256 128 64 32 16 8 4 2 1) do if not "!#:~%%a!"=="" set /a len+=%%a&set #=!#:~%%a!
echo %in% is %len% chars long.
pause

Though the original length script will take n/9 iterations to get the length, this would always take 9 loops for up to 512 characters.

[velkrosmaak]

Sending a password in clear text is... iffy.

[0phoi5]

Sending a password in clear text is... iffy.

How else would you advise a user of their password, if they are based in another country and don't have access to the Active Directory?

Phone call? Not any safer.

[AlfAlfa]

How else would you advise a user of their password, if they are based in another country and don't have access to the Active Directory?

Phone call? Not any safer.

Send it over SSL wrapped email, and / or send a password reset link rather than just the password. (although someone who receives either could still use both reset types to gain access, so make the password reset step mandatory and they should also be required to enter some information that only they would know!)

This way even if someone that shouldn't gets a hold of the password reset link or temporary password, they still would have to know a secret piece of information that doesn't get sent and that they won't be able to figure out or guess.

[cooper]

Meh. Just make sure this password needs to be changed on next login and you should be fine.

SSL wrapped email implies having client certs which thus far seem to be an excessive burden on most organizations.

[0phoi5]

SSL wrapped email implies having client certs which thus far seem to be an excessive burden on most organizations.

I would guess this.

But then I just work here, so meh. I don't think our India guys have much access to do anything anyway, so it wouldn't cause much of a security problem.