Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <#
- Version: 1.0
- Created: {12July17}
- Created by {Kristopher Roy - BellTechlogix}
- Summary: {script to allow elevated password resets and account unlocks}
- Usage:
- Example:
- Updates:
- #>
- # Custom Functions that you create
- #Function to import AD Module
- Function ImportModule([string]$ModuleName)
- {
- # Imports a module if it is not loaded in the current session
- # Usage:
- # ImportModule "<modulename>"
- # Example:
- # ImportModule "activedirectory"
- #
- [bool]$ModuleIsLoaded = $False
- $LoadedModules = Get-Module | Select Name
- If ($LoadedModules -is [object])
- {
- #One or more modules are loaded
- ForEach ($Module in $LoadedModules)
- {
- $ModuleLower = $Module.Name.ToLower()
- If ($ModuleLower -eq $ModuleName)
- {
- #The module we are searching for is already imported. Create flag.
- $ModuleIsLoaded = $True
- }
- }
- If ($ModuleIsLoaded -eq $False)
- {
- #Some modules currently imported but not $ModuleName. Let's import it.
- Import-Module $ModuleName
- Write-output "Imported Module" |out-string
- }
- }
- else
- {
- #No modules currently imported. Let's import it.
- Import-Module $ModuleName
- Write-output "Imported Module" |out-string
- }
- }
- #Function to build pw parameters
- Function GET-Temppassword() {
- Param(
- [int]$length=10,
- [string[]]$sourcedata
- )
- For ($loop=1; $loop –le $length; $loop++) {
- $TempPassword+=($sourcedata | GET-RANDOM)
- }
- return $TempPassword
- }
- Function checkPassword()
- {
- $passLength = 8
- if ($pw.Length -eq $passLength)
- {$pw2test = $pw
- $isGood = 0
- If ($pw2test -match "[^a-zA-Z0-9]") #check for special chars
- { write-host "yes special"
- $isGood++ }
- If ($pw2test -match "[0-9]")
- { write-host "yes 0-9"
- $isGood++ }
- If ($pw2test -cmatch "[a-z]")
- { write-host "yes a-z"
- $isGood++ }
- If ($pw2test -cmatch "[A-Z]")
- { write-host "yes A-Z"
- $isGood++ }
- If ($isGood -ge 3)
- { $pw2test + " is a good password" | Out-Default
- #return $pw2test
- $pwchk = 'PASS'
- return $pwchk
- }
- Else
- { $pw2test + " is not a good password" | Out-Default
- #**** checkPassword
- $pwchk = 'FAIL'
- return $pwchk
- }}
- Else {$pw + " is not long enough - Passwords must be at least " + $passLength + " characters long"
- # **** checkPassword
- $pwchk = 'FAIL'
- return $pwchk
- }
- }
- #This the arguments needed to pass, up to 4 can be passed
- #User account to be modified
- $USERNAME=$args[0]
- #ACTION {UNLOCK,RESET}
- $ACTION=$args[1]
- #Password to set for user
- $PASSWORD=$args[2]
- #DISABLE FORCED PW CHANGE
- $FRCPWCHG=$args[3]
- # Always use Try to capture errors within the script, this helps to having process hung and troubleshoot better.
- try
- {
- # Setup your Environment by adding Modules or PSSnapins
- # Imports Module if needed
- ImportModule "activedirectory"
- # Adds PS Snapin
- #Example:: if ( (Get-PSSnapin -Name "VMware.VimAutomation.Core" -ErrorAction SilentlyContinue) -eq $null ) { Add-PsSnapin "VMware.VimAutomation.Core" }
- # Adding Help, it's great to have a help to provide more information to your users
- If ($USERNAME -eq "?") {
- write-output "This is the field that you input the end user account name in"
- exit
- }
- If ($ACTION -eq "?") {
- write-output "Input wether you want to UNLOCK an account or RESET the password"
- exit
- }
- If ($PASSWORD -eq "?") {
- write-output "Input the new password; must contain 8chars, Upper, Lower, Number, and special chars, no dictionary words. If left blank password will auto generate"
- exit
- }
- If ($FRCPWCHG -eq "?") {
- write-output "Input Yes, or No to require password change on next login"
- exit
- }
- # MAIN ROUTINE
- # Peform your actions
- $USERNAME = '9roykr'
- [array]$grps=Get-ADUser $username -Property memberOf | Select -ExpandProperty memberOf | Get-ADGroup | Select Name
- $ADUser = Get-ADUser $USERNAME -properties *
- $NAGroups = 'Enterpris Admins','Domain Admins','Account Operators','Desktop Support','Exchange Organization Administrators'
- FOREACH($grp in $grps)
- {IF($grp.name -in $NAGroups){Write-output ("$USERNAME is in a group that your permissions are restricted from modifying, "+$grp.name)
- Break All
- }
- }
- #TRY{Get-ADUser -identity $USERNAME -SearchBase 'OU=Accounts,OU=Network Services,DC=crowley,DC=com'}catch{$RSTOU = $False}
- #IF($RSTOU -NE $FALSE){Write-output "$USERNAME is in an OU that your permissions are restricted from modifying"
- $usrchk= Get-ADUser $USERNAME | ? { ($_.distinguishedname -like "*OU=Accounts,OU=Network Services*") }
- if ($usrchk) {write-output "You are in restricted OU Group"
- Break All
- }
- #Action to Unlock Account
- If($ACTION -like 'UNLOCK'){$lckstat = Unlock-ADAccount -Identity $USERNAME -PassThru|get-aduser -property 'lockedout'|select -expand 'lockedout'
- if($lckstat -eq $True){Write-Output "$USERNAME is still locked-out"}ELSEIF($lckstat -eq $False){write-output "$USERNAME has been unlocked"}
- }
- #Action to RESET Account
- If($ACTION -like 'RESET'){$lckstat = Unlock-ADAccount -Identity $USERNAME -PassThru|get-aduser -property 'lockedout'|select -expand 'lockedout'
- if($lckstat -eq $True){Write-Output "$USERNAME is still locked-out"}ELSEIF($lckstat -eq $False){write-output "$USERNAME has been unlocked"}
- #$PASSWORD = 'blahbla1'
- if($PASSWORD -eq ''){
- $ascii=$NULL;For ($a=33;$a –le 126;$a++) {$ascii+=,[char][byte]$a }
- $pw = GET-Temppassword –length 8 –sourcedata $ascii
- write-output "The new user password will be $pw"
- $securepw = ConvertTo-SecureString -string $pw -AsPlainText -force
- set-adaccountpassword -Identity $USERNAME -NewPassword $securepw -WhatIf
- }
- ELSE{
- $pw = $PASSWORD
- checkPassword
- if($pwchk -eq'PASS'){
- $securepw = ConvertTo-SecureString -string $password -AsPlainText -force
- set-adaccountpassword -Identity $USERNAME -NewPassword $securepw -WhatIf
- }
- ELSE{write-output 'passwod failed complexity check'}
- }
- }
- # to return your data use |out-string with your cmdlts to be return via script
- #Examples: Search-ADAccount –LockedOut |out-string
- #Examples: Get-VMHostService | where {$_.key -eq 'sfcbd-watchdog' } | out-string
- # for Console type output use: write-output "Some Information"
- #Examples: write-output "This is my action"
- # Cleanup (Optional)
- #Remove-Module "module name"
- #Remove-PSSnapin "snapin name"
- }
- catch
- {
- # Captures errors
- write-output "Exception Message: $($_.Exception.Message)"
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement