kickarse Posted March 6, 2009 Posted March 6, 2009 So at work we don't currently have anything setup like GoToMyPC so when we get a call on the dept. cell phone and someone needs to be unlocked someone, anyone, has to come in to unlock/reset a user. Today I combined a two different scripts to create a quick and dirty remote domain user unlocker via an email into outlook. Basically its comprised of 1. A rule in outlook to check for messages that A) has a certain subject (whatever you want it to be, the longer the pass phrase the better) B) has been sent by a certain address C) has an attachment D) has been sent to only one address E) Runs a script (script is described next, called SaveAttachments) against any new email, saving the attachments to a certain location 2. OTM Script in Outlook. If you press Alt-F11 in Outlook you will see Outlooks VBA editor. On the left hand side you will see all the defaults and on the right side an area to post the script. The VBA script is shown below, change the Root variable to a location of your choosing and save the script (ctrl-s). Change your rule to run this script called SaveAttachments. Make sure you have macro security set to None/Off (I know, I know, don't know a way around it yet) Sub SaveAttachments(ByRef item As Outlook.MailItem) Const Root = "C:\UnlockDomainUsers" ' Root folders structure. Change it according your needs Dim FName As String 'To store he name whole name of each attached file Dim fs 'To manage files Dim CountAttach As Integer 'Total number of attached files Dim I As Integer 'Tipical counter index CountAttach = item.Attachments.count 'Retrive the number of attachments If CountAttach > 0 Then 'Only do something when the email have files attached 'Check for the folders structure and create if something is missing Set fs = CreateObject("Scripting.FileSystemObject") For I = CountAttach To 1 Step -1 'From the end to the begining to avoid problems 'Creating the whole name of the file FName = Root & "\" & item.Attachments.item(I).FileName 'Saving the file item.Attachments.item(I).SaveAsFile (FName) 'Check if the file was saved and remove from email If fs.FileExists(FName) Then item.Attachments.item(I).Delete End If Next I item.Save End If End Sub 3. Next you'll need an AutoIT script. You can download the script editor and compiler from www.autoitscript.com . You will need to change two variables, the Processfilelocation (to the location you specified in the Outlook VBA script) and Domain (your domain, duh). Once compiled you keep this script running and it will check the folder you specified for a user.loc file. It will read the user.loc file for a username and unlock the user and log it to a log file. #Include <File.au3> global $strInfo $ProcessFileLocation = "C:\UnlockDomainUsers\user.loc"; Location path of file to read from user $Domain = "YourDomain"; Your domain $LogFileLocation = @ScriptDir & "\unlockusers.log"; Location path of file to write log to $x = 0; just set a variable that'll never be attained Do Do Sleep(10000) Until FileExists($ProcessFileLocation); Sleep every 10 seconds until you come across the .loc file Tooltip("A user is going to be unlocked",20,20,"Email Domain User Unlocker"); Let logged in user know what's going on $UnlockUser = FileReadLine($ProcessFileLocation,1); Read unlock information from file Tooltip("User: " & $Domain &"\" $UnlockUser & " will be unlocked shortly",20,20,"Email Domain User Unlocker"); Let logged in user know what's going on _UnlockDomainUsers($UnlockUser, $Domain); Unlock user in specified file Tooltip($Domain &"\" $UnlockUser & " " & $strInfo,20,20,"Email Domain User Unlocker"); Let logged in user know what's going on _FileWriteLog($LogFileLocation,$Domain &"\" $UnlockUser & " " & $strInfo); Write log information sleep(2000);sleep before deleting file Tooltip("Deleting file " & $ProcessFileLocation,20,20,"Email Domain User Unlocker"); Let logged in user know what's going on FileDelete($ProcessFileLocation); delete file for next incoming email Until $x = 1; forever! ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; Func _UnlockDomainUsers($strUser, $strDomain) $GetUserInfo = ObjGet("WinNT://"& $strDomain &"/" & $strUser & ""); Get user information If $GetUserInfo.IsAccountLocked = 0 Then; If the value is 0 the user is not locked out $strInfo = "-- User is not locked out"; return the information Elseif $GetUserInfo.IsAccountLocked = -1 Then; if the value is -1 the user is locked out $GetUserInfo.IsAccountLocked = 0; set value to unlock $GetUserInfo.Setinfo; update the domain $strInfo = "-- User has been unlocked"; return the information Endif EndFunc 4. When you send an email to your work email it will need to run against the rules you set in place. The attachment is just a txt file (except with the extension .loc) with the first line being the username you want to unlock. This is what you will send yourself. User.loc MyIdiotUser That's pretty much it! Remember it runs in the user context. You could actually delegate a domain user account to only do unlocking of accounts if you wanted to http://support.microsoft.com/kb/279723 Quote
Mat Posted March 9, 2009 Posted March 9, 2009 That's actually pretty cool. It's also another reason not to use outlook! I'd suggest getting some VPN connections setup for the support staff so they can do this kind of thing directly. Quote
kickarse Posted March 9, 2009 Author Posted March 9, 2009 Of course. I'd never advise to do this IRL without some sort of encryption tunnel. But it just goes to show what you can do with some ingenuity. A proof of concept none-the-less. Quote
cooper Posted March 27, 2009 Posted March 27, 2009 You shouldn't use the name of the attachment to determine what the file on the local filesystem should be called. Otherwise a malicious admin could use this to overwrite user files. Also, it's nice that you remove the attachment from the email, but couldn't you remove the entire email altogether, just to make sure the user doesn't get a clue and tries forwarding these emails to other people in his unit with a forged FROM address? Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.