When a new account is born, especially if you created it with CSVDE, it will be disabled. By resetting the userAccountControl to 512, you can enable any Active Directory account. However, there is another factor, and that is giving the enabled account a password so that its user can logon.
- Our Mission and Goals
- Example 1 - Script to Set userAccountControl
- VBScript Tutorial - Learning Points for userAccountControl
- Example 2 - Force Users to Change Password at Next Logon
- Summary for Setting userAccountControl
?
Our Mission - GoalsOur mission is provide the users with a valid logon name and password. To be successful, we must not only enable the account, but also set a suitable password. What my Example script will do is enable not one account, but enable all accounts in a particular OU. The crucial command userAccountControl = 512.
Because of Windows 2003's increased security, our script may encounter obstacles. For example, the default Domain Group Policy demands complex passwords with at least 8 characters. Indeed, if the Domain policy enforces 8 characters and we try to enable an account with a null password, the result is this error message, 'The server is unwilling to process the request.' Fortunately, we have the answer, we can script a new password at the same time we enable the account. We can even set the accounts so that users must change their password at first logon.
Our Plans
Master the LDAP attribute, userAccountControl
Set the password, and force the user to change password at next logon.
Either, you could logon as an administrator (best), or you could run this script on an XP machine as a non-administrator. I do believe in making life easy, so avoid complications and try Remote Desktop, rather than executing the script from an XP or other client.
Instructions for setting userAccountControl
- You should run this VBScript on a Windows Active Directory domain.
- Copy and paste the example script below into notepad or a VBScript editor.
- Decide whether to change the value for strContainer. Naturally, to be effective you need to create a user or two in the OU specified by strContainer.
- Save the file with a .vbs extension, for example: UserAccountControl .vbs.
- Double click UserAccountControl .vbs and check the Users container for strUser.
' UserAccountControl .vbs
' Sample VBScript to enable a user account
' Author Guy Thomas http://computerperformance.co.uk/
' Version 2.0 - May 2005
' --------------------------------------------------------------'
Option Explicit
Dim objOU, objUser, objRootDSE
Dim strContainer, strLastUser, strDNSDomain, intAccValue
' Bind to Active Directory Domain
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")
' Here is where we set the value to enable the account
' 512 = Enable, 514 = Disable.
intAccValue = 512
' -------------------------------------------------------------'
' Important change OU= to reflect your domain
' -------------------------------------------------------------'
strContainer = "OU=Accounts, "
strContainer = strContainer & strDNSDomain
set objOU =GetObject("LDAP://" & strContainer )
For each objUser in objOU
If objUser.class="user" then
' The heart of this script - Enable users
objUser.Put "userAccountControl", intAccValue
objUser.SetInfo
End if
next
' End of Free Sample UserAccountControl VBScript
Note 1: UserAccountControl needs a numeric value in order to set the account. The two common values for user accounts are: 512 = enable and 514 = disable account. If you are scripting computer accounts substitute a value of 4096. See more on creating computer accounts here.
Note 2: Purely for testing, I suggest setting userAccountControl = 514. Then open up Active Directory Users and Computers at the OU that corresponds to strContainer. What you are looking for is a red X over the account. Naturally, you could enable the accounts by setting the value back to 512 and running the script again. Incidentally, Active Directory Users and Computers does not always refresh with F5, so right click and select Refresh from the shortcut menu.
Note 3: Do you remember the goal? Our task is to change all accounts in the OU, therefore, observe how VBScript cycles through the "User" .class of objects with the For each... Next, loop.
Example 2 - Sample Script to Force Users to Change Password at Next Logon
' ChangePassword .vbs
' Sample VBScript to force a user to change password at next logon
' Author Guy Thomas http://computerperformance.co.uk/
' Version 1.3 - May 2005
' --------------------------------------------------------------'
Option Explicit
Dim objOU, objUser, objRootDSE, objShell
Dim strContainer, strDNSDomain, strPassword
Dim intCounter, intAccValue, intPwdValue
' Bind to Active Directory Domain
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")
' -------------------------------------------------------------'
' Important change OU= to reflect your domain
' -------------------------------------------------------------'
strContainer = "OU=Accounts, "
strPassword = "P@ssw0rd"
strContainer = strContainer & strDNSDomain
' Here is where we set the value to enable the account
' 512 = Enable, 514 = Disable.
intAccValue = 512
' Here we force a change of password at next logon
intPwdValue = 0
' Loop through OU=, setting passwords for all users
set objOU =GetObject("LDAP://" & strContainer )
For each objUser in objOU
If objUser.class="user" then
objUser.SetPassword strPassword
objUser.Put "userAccountControl", intAccValue
objUser.Put "PwdLastSet", intPwdValue
objUser.SetInfo
End If
Next
' Optional section to launch Active Directory Uses and Computers
Set objShell=CreateObject("WScript.Shell")
objShell.Run "%systemroot%\system32\dsa.msc"
WScript.Quit
' End of example: Change Password at next logon VBScript
Note 1: Study lines 32-36 and examine the three commands needed to get the result we want. While the password method uses .SetPassword, the other two properties, userAccountControl and PwdLastSet, require the .Put method.
Note 2: The optional extra section launches the Active Directory Users and Computers snap-in. My idea is twofold, to show that the script has completed, and also to point you where to check what has happened.
Summary for setting userAccountControlThe main purpose of userAccountControl is to enable or disable accounts. For users, a value of 512 enables the account, while a value of 514 disables the account and prevents them logging on. Computers also need a value for userAccountControl, in their case the number is 4096.