Unlock Domain Users via Email

[kickarse]

So at work we don't currently have anything setup like GoToMyPC so when we get a call on the dept. cell phone and someone needs to be unlocked someone, anyone, has to come in to unlock/reset a user.

Today I combined a two different scripts to create a quick and dirty remote domain user unlocker via an email into outlook.

Basically its comprised of

1. A rule in outlook to check for messages that

A) has a certain subject (whatever you want it to be, the longer the pass phrase the better)

B) has been sent by a certain address

C) has an attachment

D) has been sent to only one address

E) Runs a script (script is described next, called SaveAttachments) against any new email, saving the attachments to a certain location

2. OTM Script in Outlook.

If you press Alt-F11 in Outlook you will see Outlooks VBA editor. On the left hand side you will see all the defaults and on the right side an area to post the script. The VBA script is shown below, change the Root variable to a location of your choosing and save the script (ctrl-s). Change your rule to run this script called SaveAttachments. Make sure you have macro security set to None/Off (I know, I know, don't know a way around it yet)

Sub SaveAttachments(ByRef item As Outlook.MailItem)

   Const Root = "C:\UnlockDomainUsers" ' Root folders structure. Change it according your needs
   
   Dim FName As String 'To store he name whole name of each attached file
   Dim fs 'To manage files
   Dim CountAttach As Integer 'Total number of attached files
   Dim I As Integer 'Tipical counter index

   CountAttach = item.Attachments.count 'Retrive the number of attachments
   
   If CountAttach > 0 Then 'Only do something when the email have files attached
        
        'Check for the folders structure and create if something is missing
        Set fs = CreateObject("Scripting.FileSystemObject")
        
        For I = CountAttach To 1 Step -1 'From the end to the begining to avoid problems
            'Creating the whole name of the file
            FName = Root & "\" & item.Attachments.item(I).FileName
            
            'Saving the file
            item.Attachments.item(I).SaveAsFile (FName)

            'Check if the file was saved and remove from email
            If fs.FileExists(FName) Then
                item.Attachments.item(I).Delete
            End If
        Next I
        
        item.Save
        
   End If
End Sub

3. Next you'll need an AutoIT script. You can download the script editor and compiler from www.autoitscript.com . You will need to change two variables, the Processfilelocation (to the location you specified in the Outlook VBA script) and Domain (your domain, duh). Once compiled you keep this script running and it will check the folder you specified for a user.loc file. It will read the user.loc file for a username and unlock the user and log it to a log file.

#Include <File.au3>

global $strInfo
$ProcessFileLocation = "C:\UnlockDomainUsers\user.loc"; Location path of file to read from user
$Domain = "YourDomain"; Your domain
$LogFileLocation = @ScriptDir & "\unlockusers.log"; Location path of file to write log to

$x = 0; just set a variable that'll never be attained
Do
    Do 
        Sleep(10000)
    Until FileExists($ProcessFileLocation); Sleep every 10 seconds until you come across the .loc file
    
    Tooltip("A user is going to be unlocked",20,20,"Email Domain User Unlocker"); Let logged in user know what's going on
    $UnlockUser = FileReadLine($ProcessFileLocation,1); Read unlock information from file
    
    Tooltip("User: " & $Domain &"\" $UnlockUser & " will be unlocked shortly",20,20,"Email Domain User Unlocker"); Let logged in user know what's going on
    _UnlockDomainUsers($UnlockUser, $Domain); Unlock user in specified file
    
    Tooltip($Domain &"\" $UnlockUser & " " & $strInfo,20,20,"Email Domain User Unlocker"); Let logged in user know what's going on
    _FileWriteLog($LogFileLocation,$Domain &"\" $UnlockUser & " " & $strInfo); Write log information
    
    sleep(2000);sleep before deleting file
    
    Tooltip("Deleting file " & $ProcessFileLocation,20,20,"Email Domain User Unlocker"); Let logged in user know what's going on
    FileDelete($ProcessFileLocation); delete file for next incoming email 

Until $x = 1; forever!

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
Func _UnlockDomainUsers($strUser, $strDomain)
    $GetUserInfo = ObjGet("WinNT://"& $strDomain &"/" & $strUser & ""); Get user information
    If $GetUserInfo.IsAccountLocked = 0 Then; If the value is 0 the user is not locked out
        $strInfo = "-- User is not locked out"; return the information

    Elseif $GetUserInfo.IsAccountLocked = -1 Then; if the value is -1 the user is locked out
        $GetUserInfo.IsAccountLocked = 0; set value to unlock
        $GetUserInfo.Setinfo; update the domain
        $strInfo = "-- User has been unlocked"; return the information
        
    Endif
EndFunc

4. When you send an email to your work email it will need to run against the rules you set in place. The attachment is just a txt file (except with the extension .loc) with the first line being the username you want to unlock. This is what you will send yourself.

User.loc

MyIdiotUser

That's pretty much it! Remember it runs in the user context. You could actually delegate a domain user account to only do unlocking of accounts if you wanted to http://support.microsoft.com/kb/279723

[Mat]

That's actually pretty cool. It's also another reason not to use outlook!

I'd suggest getting some VPN connections setup for the support staff so they can do this kind of thing directly.

[kickarse]

Of course. I'd never advise to do this IRL without some sort of encryption tunnel. But it just goes to show what you can do with some ingenuity.

A proof of concept none-the-less.

[cooper]

You shouldn't use the name of the attachment to determine what the file on the local filesystem should be called. Otherwise a malicious admin could use this to overwrite user files.

Also, it's nice that you remove the attachment from the email, but couldn't you remove the entire email altogether, just to make sure the user doesn't get a clue and tries forwarding these emails to other people in his unit with a forged FROM address?