Active Directory

Reset passwords for Active Directory Users

Reset and manage your Active Directory users' Passwords

Active Directory is one of the most esential and important tool in any company whether small or big. In most cases big companies have uncountable amount of tools to maintain and protect users and their credentials however almost most of those companies are not prepared to the time when their systems have been compromised or to say the least their servers have been hacked or encrypted by ransomware which is something we hear very often nowadays like the case with Louisiana Hospital that was attacked by Ransomware exposing the data of 270000 patients. 

Realistic scenario

What if your users passwords were compromised and you’re not sure who is still safe or not but you need to act as fast as possible? 

To act fast, I created a script that would generate a complex 32 Char long password with 4 different Non Alphanumeric Characters using the System.Web.Security.Membership  class. here’s an example of this password:

81Q:#_#E-QVZ-(1m&VS1LKpbzwR+8Em%

The script details

The script will first check if you have the Powershell Get and ImportExcel Module installed, if not it’ll ask you to install it or not. 

You will need to amend few things

1- The path to reflect where you want to save the Logs, CSV and Excel sheet. as of now it’s in c:\SyncReports. 

2- Importing users, In the script I am grabbing users directly from a specific OU in AD. so you’ll need to decide how you want to do it. I have added another line in case you’re planning to 

3- The password reset command is setup with -whatif parameter for you to test this before you run it. so just remember to remove it when you’re done with the changing and testing.

I have added mailbody and send-message command to send the excel as an attachment along with the excel password protection. 

Running the script will result in the following

Once you get the Excel sheet and try to open it, you will realize that it’s password protected. The password should be in the email body that’s sent in the script.

Excel sheet result will be looking as follows:

The script
The script 90%
#This script will generate randdom complex passwords for all AD users

#Using Time class and start reporting
$TimeStamp = [datetime]::Now.ToString(“MM-dd-yyyy-HH-mm”)
Start-Transcript -Path C:\SyncReports\Logs\Logs_$TimeStamp.txt -IncludeInvocationHeader

#Generate report
$Report = [System.Collections.Generic.List[Object]]::new()

#Check if Excel Module is installed, if not it’ll ask to install it

##Check Protocol and Setting Secure Connectivity

[Net.ServicePointManager]::SecurityProtocol
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls, [System.Net.SecurityProtocolType]::Tls11,[System.Net.SecurityProtocolType]::Tls12

#Install PowershellGet and ImportExcel Modules
if (Get-Module -ListAvailable -Name PowershellGet) {
  Write-Host “PowershellGet exists”
} else {Install-Module PowershellGet -Force}
if (Get-Module -ListAvailable -Name ImportExcel) {
  Write-Host “ImportExcel exists”
}
else {
  Write-host “Module does not exist, Would you like to install it?”
  $options = [System.Management.Automation.Host.ChoiceDescription[]] @(‘&Yes’, ‘&No’)
  if(0 -eq $host.UI.PromptForChoice(‘Install?’ , ‘Would you like to install ImportExcel’ , $Options,0)){
      Write-Host “Installing Excel Module”… -fore green
      Install-Module -Name ImportExcel
      return
  }
}

# Import System.Web assembly
Add-Type -AssemblyName System.Web

#Defining where to get users from:
$Users = Get-ADUser -SearchBase “OU=Moh10ly_Users,DC=moh10ly,DC=local” -Filter * -Properties *
#$Users = Import-Csv “C:\SyncReports\Users.csv”
foreach ($User in $Users){
   
      $UID = $User.UserPrincipalName
      $ObjectProp = Get-ADUser -Filter {(Mail -like $UID) -or (UserPrincipalName -like $UID)} -Properties *

      #Generate New Password
      $NewPassword=[System.Web.Security.Membership]::GeneratePassword(32,4)
      $Password= ConvertTo-SecureString $newPassword -AsPlainText -Force
      $TEXTO = “$newPassword”
      $ENCODED1 = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($TEXTO))
   
      $Name = $ObjectProp.Name
      $SAM = $ObjectProp.SamAccountName

      if($SAM){
               
                       $ReportLine = [PSCustomObject][Ordered]@{
                          DateandTime                 = $TimeStamp
                          UPN                         = $ObjectProp.UserPrincipalName
                          DisplayName                 = $ObjectProp.Displayname
                          Email                       = $ObjectProp.Mail
                          Encoded                     = $ENCODED1
                          Password                    = $newPassword
                          Error                       = $ObjectProp.Exception.Message
                          }
                       
                          $Report.Add($ReportLine)
       
          #Wait for Email to send
          #Start-Sleep -Seconds 15

          #Resetting user’s password
          Set-ADAccountPassword -Identity $User.SamAccountName -NewPassword $Password -WhatIf

      }
  else {$Error = Write-Host -f Red “$($User) Couldn’t be found”  
  #send-mailmessage -from “admin@skybirdtravel.com” -to “admin@skybirdtravel.com” -subject “Password reset didn’t work for $($User.UserprincipalName) on $TimeStamp” -body “$Error” -Priority High -smtpServer mailcleaner.cloudapphost.net}
  }
}
Stop-Transcript
Write-Host (“{0} Users processed” -f $Users.count)
#$Report | Out-GridView
$ExcelPassword =[System.Web.Security.Membership]::GeneratePassword(32,4)
$Report | Select-Object UPN,Displayname,Email,Encoded,Password | Export-Csv -NoTypeInformation “C:\SyncReports\UserReset_$TimeStamp.csv”
$Report | Export-Excel “C:\SyncReports\UserReset_$TimeStamp.xlsx” -WorksheetName Users -TableName Users -AutoSize -Password “$ExcelPassword”
$Exported = “C:\SyncReports\UserReset_$TimeStamp.xlsx”
$MailBody = “
          <html><body>
          <font color=’006400′> Dear Team, Please find attached the list of users and their passwords encoded … `
          The file is protected with password // $ExelPassword // If any issue you can send an email to support@domain.com .</font>
          <body><html>
          “
$CC = @(‘info@moh10ly.com’)

#Get-ChildItem $Exported | send-mailmessage -from “admin@domain.com” -to “report@domain.com” -Cc $CC -subject ” User Passwords List for the date $date” -body “$MailBody” -Priority High -smtpServer relay.domain.com -BodyAsHtml

Finally:

I have added this script to github, so feel free to comment or add your contribution if needed.

https://github.com/moh30ly/powershell/blob/main/ADPasswordChange

moh10ly

View Comments

  • You’re so awesome! I don’t believe I have read a single thing like that before. So great to find someone with some original thoughts on this topic. Really.. thank you for starting this up. This website is something that is needed on the internet, someone with a little originality!

Leave a Comment
Share
Published by
moh10ly
Tags: Active DirectoryPowershellSecurity
3 years ago

Recent Posts

Finding Exchange Database hidden mailboxes. ​

Finding Exchange Database hidden mailboxes. Story:Maybe you have been in this situation before, trying to…

3 years ago

Setting up ADConnect and PTA (Password auth through) servers agents behind proxy

If you're using a Proxy server in your firewall or in your network and have…

3 years ago

Get Report of Active Directory Locked Accounts and Machine they logged in from

Story:I got some clients  that have reported some of their users being locked out and…

3 years ago

Checking and Providing Full and SendAs delegate access on O365 Exchange Online

Delegate Permissions This is a code that I have wrote recently to check if an…

3 years ago

Retrieving attachments from Exchange mailbox using python

Story: I got a request from a client who constantly gets CVs and have to…

3 years ago

550 relay not permitted distribution group contact

550 relay not permitted distribution group contact Symptoms When trying to add an external contact…

4 years ago

Warning: Undefined array key "adsense_ad_type" in /datadrive/wwwroot/www.moh10ly.com/wp-content/plugins/quick-adsense-reloaded/includes/amp-condition-display.php on line 298

Warning: Undefined array key "adsense_ad_type" in /datadrive/wwwroot/www.moh10ly.com/wp-content/plugins/quick-adsense-reloaded/includes/amp-condition-display.php on line 298

Warning: Undefined array key "adsense_ad_type" in /datadrive/wwwroot/www.moh10ly.com/wp-content/plugins/quick-adsense-reloaded/includes/amp-condition-display.php on line 298

Warning: Undefined array key "adsense_ad_type" in /datadrive/wwwroot/www.moh10ly.com/wp-content/plugins/quick-adsense-reloaded/includes/amp-condition-display.php on line 298

Warning: Undefined array key "adsense_ad_type" in /datadrive/wwwroot/www.moh10ly.com/wp-content/plugins/quick-adsense-reloaded/includes/amp-condition-display.php on line 298

Warning: Undefined array key "adsense_ad_type" in /datadrive/wwwroot/www.moh10ly.com/wp-content/plugins/quick-adsense-reloaded/includes/amp-condition-display.php on line 298

Warning: Undefined array key "adsense_ad_type" in /datadrive/wwwroot/www.moh10ly.com/wp-content/plugins/quick-adsense-reloaded/includes/amp-condition-display.php on line 298

Warning: Undefined array key "adsense_ad_type" in /datadrive/wwwroot/www.moh10ly.com/wp-content/plugins/quick-adsense-reloaded/includes/amp-condition-display.php on line 298

Warning: Undefined array key "adsense_ad_type" in /datadrive/wwwroot/www.moh10ly.com/wp-content/plugins/quick-adsense-reloaded/includes/amp-condition-display.php on line 298

Warning: Undefined array key "adsense_ad_type" in /datadrive/wwwroot/www.moh10ly.com/wp-content/plugins/quick-adsense-reloaded/includes/amp-condition-display.php on line 298

Warning: Undefined array key "adsense_ad_type" in /datadrive/wwwroot/www.moh10ly.com/wp-content/plugins/quick-adsense-reloaded/includes/amp-condition-display.php on line 298

Warning: Undefined array key "adsense_ad_type" in /datadrive/wwwroot/www.moh10ly.com/wp-content/plugins/quick-adsense-reloaded/includes/amp-condition-display.php on line 298

Warning: Undefined array key "adsense_ad_type" in /datadrive/wwwroot/www.moh10ly.com/wp-content/plugins/quick-adsense-reloaded/includes/amp-condition-display.php on line 298

Warning: Undefined array key "adsense_ad_type" in /datadrive/wwwroot/www.moh10ly.com/wp-content/plugins/quick-adsense-reloaded/includes/amp-condition-display.php on line 298

Warning: Undefined array key "adsense_ad_type" in /datadrive/wwwroot/www.moh10ly.com/wp-content/plugins/quick-adsense-reloaded/includes/amp-condition-display.php on line 298

Warning: Undefined array key "adsense_ad_type" in /datadrive/wwwroot/www.moh10ly.com/wp-content/plugins/quick-adsense-reloaded/includes/amp-condition-display.php on line 298

Warning: Undefined array key "adsense_ad_type" in /datadrive/wwwroot/www.moh10ly.com/wp-content/plugins/quick-adsense-reloaded/includes/amp-condition-display.php on line 298

Warning: Undefined array key "adsense_ad_type" in /datadrive/wwwroot/www.moh10ly.com/wp-content/plugins/quick-adsense-reloaded/includes/amp-condition-display.php on line 298