Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

VB script to unlock a user account in AD

  • 16-07-2008 12:17pm
    #1
    Registered Users, Registered Users 2 Posts: 3,464 ✭✭✭


    Found this script online - it may solve my problems here at a site with 50 users where they keep locking their account after 5 unsuccessful logins.
    Is there anyone here that have a look at this script before I put it onto a users pc

    username=inputbox("Enter username:")
    if username = "" then wscript.quit

    ldapPath = FindUser(username)

    if ldapPath = "Not Found" then
    wscript.echo "User not found!"
    else
    set objUser = getobject(ldapPath)
    if isAccountLocked(objUser) then
    objuser.put "lockoutTime", 0
    objUser.setinfo
    wscript.echo "Account Unlocked"
    else
    wscript.echo "This account is not locked out"
    end if
    end if


    Function FindUser(Byval UserName)
    on error resume next

    set objRoot = getobject("LDAP://RootDSE")
    domainName = objRoot.get("defaultNamingContext")
    set cn = createobject("ADODB.Connection")
    set cmd = createobject("ADODB.Command")
    set rs = createobject("ADODB.Recordset")

    cn.open "Provider=ADsDSOObject;"

    cmd.activeconnection=cn
    cmd.commandtext="SELECT ADsPath FROM 'LDAP://" & domainName & _
    "' WHERE sAMAccountName = '" & UserName & "'"

    set rs = cmd.execute

    if err<>0 then
    wscript.echo "Error connecting to Active Directory Database:" & err.description
    wscript.quit
    else
    if not rs.BOF and not rs.EOF then
    rs.MoveFirst
    FindUser = rs(0)
    else
    FindUser = "Not Found"
    end if
    end if
    cn.close
    end function

    Function IsAccountLocked(byval objUser)
    on error resume next
    set objLockout = objUser.get("lockouttime")

    if err.number = -2147463155 then
    isAccountLocked = False
    exit Function
    end if
    on error goto 0

    if objLockout.lowpart = 0 And objLockout.highpart = 0 Then
    isAccountLocked = False
    Else
    isAccountLocked = True
    End If

    End Function


Comments

  • Closed Accounts Posts: 2,045 ✭✭✭ttm


    Just think about what you are doing here?

    Are you going to let the users reset their own accounts? What rights are needed to run this script?

    If this is just one user you are allowing to unlock the accounts then why not give them the admin tools and delegate the right to unlock accounts. Its whats AD is all about ;-)


  • Registered Users, Registered Users 2 Posts: 1,562 ✭✭✭cance


    i dont get it... why not delegate control to a user? as stated above if the user has the ability to run the script they have the ability to use active directory users and computers and the ability to unlock accounts.


  • Closed Accounts Posts: 13,126 ✭✭✭✭calex71


    might be worth looking at why they actually lock out the accounts so often maybe??

    Do you have a very strict password policy in place that requires super strong passwords?? or they are foced to change them too frequently??

    I'd be looking to the cause before implementing solutions here OP


  • Registered Users, Registered Users 2 Posts: 3,464 ✭✭✭jamesd


    Yes complex passwords are in use ( 6 characters with min of one capital and a min of one number in the password) and the lockout is after 5 bad attempts to login.


  • Registered Users, Registered Users 2 Posts: 68,317 ✭✭✭✭seamus


    I think some edumaction is required.

    5 attempts is more than enough. Why are so many people locking out their accounts?

    We have 2000 users here with complex passwords in use, lockout after 3 attempts and our helpdesk only gets between 20 and 40 unlock requests per day. That's 1% - 2% of the userbase.

    I would be wary of giving users access to unlock eachother's accounts. You may as well switch off account locking.


  • Advertisement
  • Closed Accounts Posts: 2,045 ✭✭✭ttm


    jamesd wrote: »
    Yes complex passwords are in use ( 6 characters with min of one capital and a min of one number in the password) and the lockout is after 5 bad attempts to login.

    Thats not a complex password by most peoples definition.

    It would allow for example a user to have a password like Password1, Password2 etc hardly complex.

    Are you sure the users are locking themselves out? Reason for the lockout is to prevent password guessing by a hacker. So is someone trying to log in as someoene else and locking the account out. You sould be logging all these lockouts on the server so you can see which PC the loggin attempts came from in the Security Event Log.


  • Registered Users, Registered Users 2 Posts: 3,464 ✭✭✭jamesd


    Its a hospality sector business so there are many differnet shifts and different nationalitys working on the computers, someone always owns up for locking out the account and its either from forgetting the password or their earlier shift changing the password and not telling them ( passwords required to be changed every 30 days)


  • Registered Users, Registered Users 2 Posts: 68,317 ✭✭✭✭seamus


    Yeah, that's a tough one.

    I'm assuming (seeing as people are changing passwords) that you're using a small group of accounts, (such as "reception1", "reception2", etc) as opposed to each user having their own account?

    It'd be tough to give recommendations without knowing the exact setup. I'm also confused as to how you expect them to run the reset/unlock script if their account is locked out and they can't access a PC. :)

    Long-term, it might be worth looking at smartcard technology - that is, each user gets a smart card which needs to be inserted into the machine in order to unlock/log in, and you have a set number of accounts with a longer password period, or maybe have IT reset them on a monthly/two-monthly basis and notify everyone. When a user walks away from their machine, they take their card with them and the machine locks automatically.

    In fact, having I.T. reset the passwords manually on a periodic basis may be the best solution - this ensures that no-one resets it to something random and forgets to tell everyone.


  • Closed Accounts Posts: 2,045 ✭✭✭ttm


    seamus wrote: »
    Yeah, that's a tough one.

    I'm assuming (seeing as people are changing passwords) that you're using a small group of accounts, (such as "reception1", "reception2", etc) as opposed to each user having their own account?

    It'd be tough to give recommendations without knowing the exact setup. I'm also confused as to how you expect them to run the reset/unlock script if their account is locked out and they can't access a PC. :)

    Long-term, it might be worth looking at smartcard technology - that is, each user gets a smart card which needs to be inserted into the machine in order to unlock/log in, and you have a set number of accounts with a longer password period, or maybe have IT reset them on a monthly/two-monthly basis and notify everyone. When a user walks away from their machine, they take their card with them and the machine locks automatically.

    In fact, having I.T. reset the passwords manually on a periodic basis may be the best solution - this ensures that no-one resets it to something random and forgets to tell everyone.

    I'd have to agree with all that as I was writing the much the same as a reply when my inbox indicated seamus had beaten me to it.

    I was going to add you could leave the users that have there own accounts with the domain password policy as is and change the passwords of the multiuser accounts at the account level to no allow the passwords to be changed, then change them manually once a month. If all the multiuser accounts are in one group then you can lock that group down with a policy that only allows them access to apps and data they need.


  • Registered Users, Registered Users 2 Posts: 3,464 ✭✭✭jamesd


    What I had planned for to have 1 user with rights to unlock accounts and nothing else - they could then be contacted by a locked user to unlock accounts.


  • Advertisement
  • Closed Accounts Posts: 2,045 ✭✭✭ttm


    jamesd wrote: »
    What I had planned for to have 1 user with rights to unlock accounts and nothing else - they could then be contacted by a locked user to unlock accounts.

    Fair enough - do it. No need for a script though. Also delegate a PC for this admin role and install the Admin tools. Set up a MMC for Users and Computers and stick a shortcut to it on the desktop. Even though the tools are available the user won't be able to do anythign you havn't delgated them rights for.


Advertisement