Jump to content

[BATCH/CMD] Reset a user's AD password, send email - Automated


0phoi5

Recommended Posts

Hi all,

Here's a nice script, entirely in a batch file, that ;

  • Prompts for input of a user's Full Name and Email Address
  • Sets their password to a random string of uppercase, lowercase and numerical characters.
  • Generates an email to send to them, with their new password.

Notes;

  • Length of the password can be set using the line Set _RNDLength=
  • Whether user has to reset their password on logging in can be set with -mustchpwd
  • Amend OU= and DC= for your own companie's domain.
@echo off

:Start
    endlocal
echo.
echo This script will reset the password for a user, using their Full Name,
echo and then generate the email to be sent to them.
echo.
echo Passwords are automatically set as 10 digits, using lowercase,
echo uppercase and numbers.
echo.
echo.
echo.
    set /p "DisplayName= Full Name : %=%"
echo.
echo.
    set /p "EmailAddress= Email : %=%"
cls

    Setlocal EnableDelayedExpansion
        Set _RNDLength=10
        Set _Alphanumeric=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789
        Set _Str=%_Alphanumeric%987654321
:_LenLoop
    IF NOT "%_Str:~18%"=="" SET _Str=%_Str:~9%& SET /A _Len+=9& GOTO :_LenLoop
        SET _tmp=%_Str:~9,1%
        SET /A _Len=_Len+_tmp
        SET _count=0
        SET _RndAlphaNum=
:_loop
        SET /a _count+=1
        SET _RND=%Random%
        SET /A _RND=_RND%%%_Len%
        SET _RndAlphaNum=!_RndAlphaNum!!_Alphanumeric:~%_RND%,1!
    If !_count! lss %_RNDLength% goto _loop

            dsmod user "CN=%DisplayName%,OU=[OU],DC=[DC],DC=co,DC=uk" -pwd !_RndAlphaNum! -mustchpwd no

IF ERRORLEVEL 0 (
    GOTO SendEmail
) ELSE (
    echo.
    echo Failed.
    echo.
    Pause
    GOTO Start
)

:SendEmail
        start "" "mailto:%EmailAddress%?subject=Password%%20Reset&body=Hello,%%0D%%0A%%0D%%0AYour%%20AD%%20password%%20has%%20been%%20reset%%20to%%20!_RndAlphaNum!%%0D%%0A%%0D%%0AKind Regards,%%0D%%0A%%0D%%0AYour%%20Name"

cls
    GOTO Start

Email generated looks like this;

Hello,

Your AD password has been reset to kD5Xjfd8A6

Kind Regards,

Your Name

This saves me some time at work when we get loads of emails asking for password resets for AD accounts. Takes 30 seconds instead of a few minutes.

Edited by haze1434
Link to comment
Share on other sites

And how are they going to read that mail; while they need a password reset to access their mail ?

We have a lot of users that have accounts in different domains / use VPN / use Citrix.

They have multiple email addresses.

We also have users who get emails pushed to mobiles, which I believe doesn't require the same credentials, as it comes directly from an exchange server.

It would be pretty easy to set up another method to send them the password, just amend :SendEmail.

Edited by haze1434
Link to comment
Share on other sites

You should consider using the User Principle Name rather than the Full Name. There are many people within my AD environment that have the same name, middle initial too, and the only way to tell them apart is by the UPN. Why did you choose batch over PowerShell for this script?

Link to comment
Share on other sites

You should consider using the User Principle Name rather than the Full Name. There are many people within my AD environment that have the same name, middle initial too, and the only way to tell them apart is by the UPN. Why did you choose batch over PowerShell for this script?

Thank you, good point. I'll look in to that and amend the code.

I chose batch as I don't yet know Powershell :lol:

Link to comment
Share on other sites

Can't you replace the use of the _LenLoop label and associated GOTO with a nice FOR loop?

You can easily do that if you know the reasonable maximum for the length of string (like 512).

@echo off
setlocal enabledelayedexpansion
set /p "in=Input: "
set len=1
set #=%in%
for %%a in (256 128 64 32 16 8 4 2 1) do if not "!#:~%%a!"=="" set /a len+=%%a&set #=!#:~%%a!
echo %in% is %len% chars long.
pause

Though the original length script will take n/9 iterations to get the length, this would always take 9 loops for up to 512 characters.

Link to comment
Share on other sites

  • 1 month later...

Sending a password in clear text is... iffy.

How else would you advise a user of their password, if they are based in another country and don't have access to the Active Directory?

Phone call? Not any safer.

Link to comment
Share on other sites

How else would you advise a user of their password, if they are based in another country and don't have access to the Active Directory?

Phone call? Not any safer.

Send it over SSL wrapped email, and / or send a password reset link rather than just the password. (although someone who receives either could still use both reset types to gain access, so make the password reset step mandatory and they should also be required to enter some information that only they would know!)

This way even if someone that shouldn't gets a hold of the password reset link or temporary password, they still would have to know a secret piece of information that doesn't get sent and that they won't be able to figure out or guess.

Link to comment
Share on other sites

Meh. Just make sure this password needs to be changed on next login and you should be fine.

SSL wrapped email implies having client certs which thus far seem to be an excessive burden on most organizations.

Link to comment
Share on other sites

SSL wrapped email implies having client certs which thus far seem to be an excessive burden on most organizations.

I would guess this.

But then I just work here, so meh. I don't think our India guys have much access to do anything anyway, so it wouldn't cause much of a security problem.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...