0phoi5 Posted January 14, 2016 Share Posted January 14, 2016 (edited) Hi all, Here's a nice script, entirely in a batch file, that ; Prompts for input of a user's Full Name and Email Address Sets their password to a random string of uppercase, lowercase and numerical characters. Generates an email to send to them, with their new password. Notes; Length of the password can be set using the line Set _RNDLength= Whether user has to reset their password on logging in can be set with -mustchpwd Amend OU= and DC= for your own companie's domain. @echo off :Start endlocal echo. echo This script will reset the password for a user, using their Full Name, echo and then generate the email to be sent to them. echo. echo Passwords are automatically set as 10 digits, using lowercase, echo uppercase and numbers. echo. echo. echo. set /p "DisplayName= Full Name : %=%" echo. echo. set /p "EmailAddress= Email : %=%" cls Setlocal EnableDelayedExpansion Set _RNDLength=10 Set _Alphanumeric=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 Set _Str=%_Alphanumeric%987654321 :_LenLoop IF NOT "%_Str:~18%"=="" SET _Str=%_Str:~9%& SET /A _Len+=9& GOTO :_LenLoop SET _tmp=%_Str:~9,1% SET /A _Len=_Len+_tmp SET _count=0 SET _RndAlphaNum= :_loop SET /a _count+=1 SET _RND=%Random% SET /A _RND=_RND%%%_Len% SET _RndAlphaNum=!_RndAlphaNum!!_Alphanumeric:~%_RND%,1! If !_count! lss %_RNDLength% goto _loop dsmod user "CN=%DisplayName%,OU=[OU],DC=[DC],DC=co,DC=uk" -pwd !_RndAlphaNum! -mustchpwd no IF ERRORLEVEL 0 ( GOTO SendEmail ) ELSE ( echo. echo Failed. echo. Pause GOTO Start ) :SendEmail start "" "mailto:%EmailAddress%?subject=Password%%20Reset&body=Hello,%%0D%%0A%%0D%%0AYour%%20AD%%20password%%20has%%20been%%20reset%%20to%%20!_RndAlphaNum!%%0D%%0A%%0D%%0AKind Regards,%%0D%%0A%%0D%%0AYour%%20Name" cls GOTO Start Email generated looks like this; Hello, Your AD password has been reset to kD5Xjfd8A6 Kind Regards, Your Name This saves me some time at work when we get loads of emails asking for password resets for AD accounts. Takes 30 seconds instead of a few minutes. Edited January 14, 2016 by haze1434 Quote Link to comment Share on other sites More sharing options...
Dice Posted January 14, 2016 Share Posted January 14, 2016 And how are they going to read that mail; while they need a password reset to access their mail ? Quote Link to comment Share on other sites More sharing options...
0phoi5 Posted January 14, 2016 Author Share Posted January 14, 2016 (edited) And how are they going to read that mail; while they need a password reset to access their mail ? We have a lot of users that have accounts in different domains / use VPN / use Citrix. They have multiple email addresses. We also have users who get emails pushed to mobiles, which I believe doesn't require the same credentials, as it comes directly from an exchange server. It would be pretty easy to set up another method to send them the password, just amend :SendEmail. Edited January 14, 2016 by haze1434 Quote Link to comment Share on other sites More sharing options...
sud0nick Posted January 14, 2016 Share Posted January 14, 2016 You should consider using the User Principle Name rather than the Full Name. There are many people within my AD environment that have the same name, middle initial too, and the only way to tell them apart is by the UPN. Why did you choose batch over PowerShell for this script? Quote Link to comment Share on other sites More sharing options...
0phoi5 Posted January 14, 2016 Author Share Posted January 14, 2016 You should consider using the User Principle Name rather than the Full Name. There are many people within my AD environment that have the same name, middle initial too, and the only way to tell them apart is by the UPN. Why did you choose batch over PowerShell for this script? Thank you, good point. I'll look in to that and amend the code. I chose batch as I don't yet know Powershell Quote Link to comment Share on other sites More sharing options...
sud0nick Posted January 14, 2016 Share Posted January 14, 2016 You should look into PowerShell. It's much easier and far more powerful than batch. I think you'll enjoy it. Quote Link to comment Share on other sites More sharing options...
cooper Posted January 15, 2016 Share Posted January 15, 2016 Can't you replace the use of the _LenLoop label and associated GOTO with a nice FOR loop? Quote Link to comment Share on other sites More sharing options...
0phoi5 Posted January 18, 2016 Author Share Posted January 18, 2016 Will update this script soon guys, sorry. Work is hectic, might be off the forum a few days. Quote Link to comment Share on other sites More sharing options...
White Light Posted January 19, 2016 Share Posted January 19, 2016 Can't you replace the use of the _LenLoop label and associated GOTO with a nice FOR loop? You can easily do that if you know the reasonable maximum for the length of string (like 512). @echo off setlocal enabledelayedexpansion set /p "in=Input: " set len=1 set #=%in% for %%a in (256 128 64 32 16 8 4 2 1) do if not "!#:~%%a!"=="" set /a len+=%%a&set #=!#:~%%a! echo %in% is %len% chars long. pause Though the original length script will take n/9 iterations to get the length, this would always take 9 loops for up to 512 characters. Quote Link to comment Share on other sites More sharing options...
velkrosmaak Posted February 25, 2016 Share Posted February 25, 2016 Sending a password in clear text is... iffy. Quote Link to comment Share on other sites More sharing options...
0phoi5 Posted March 2, 2016 Author Share Posted March 2, 2016 Sending a password in clear text is... iffy. How else would you advise a user of their password, if they are based in another country and don't have access to the Active Directory? Phone call? Not any safer. Quote Link to comment Share on other sites More sharing options...
AlfAlfa Posted March 2, 2016 Share Posted March 2, 2016 How else would you advise a user of their password, if they are based in another country and don't have access to the Active Directory? Phone call? Not any safer. Send it over SSL wrapped email, and / or send a password reset link rather than just the password. (although someone who receives either could still use both reset types to gain access, so make the password reset step mandatory and they should also be required to enter some information that only they would know!) This way even if someone that shouldn't gets a hold of the password reset link or temporary password, they still would have to know a secret piece of information that doesn't get sent and that they won't be able to figure out or guess. Quote Link to comment Share on other sites More sharing options...
cooper Posted March 2, 2016 Share Posted March 2, 2016 Meh. Just make sure this password needs to be changed on next login and you should be fine. SSL wrapped email implies having client certs which thus far seem to be an excessive burden on most organizations. Quote Link to comment Share on other sites More sharing options...
0phoi5 Posted March 2, 2016 Author Share Posted March 2, 2016 SSL wrapped email implies having client certs which thus far seem to be an excessive burden on most organizations. I would guess this. But then I just work here, so meh. I don't think our India guys have much access to do anything anyway, so it wouldn't cause much of a security problem. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.