<#Version: 1.0Created: {12July17}Created by {Kristopher Roy - BellTech

1. <#
2.  
3. Version:  1.0
4. Created:  {12July17}
5. Created by {Kristopher Roy - BellTechlogix}
6. Summary:  {script to allow elevated password resets and account unlocks}
7. Usage:
8. Example:
9.    
10. Updates:
11.  
12. #>
13.  
14. # Custom Functions that you create
15.  
16. #Function to import AD Module
17. Function ImportModule([string]$ModuleName)
18. {
19.     # Imports a module if it is not loaded in the current session
20.     # Usage:
21.     #     ImportModule "<modulename>"
22.     # Example:
23.     #     ImportModule "activedirectory"
24.     #
25.      
26.     [bool]$ModuleIsLoaded = $False
27.     $LoadedModules = Get-Module | Select Name
28.     If ($LoadedModules -is [object])
29.     {
30.         #One or more modules are loaded
31.         ForEach ($Module in $LoadedModules)
32.         {
33.             $ModuleLower = $Module.Name.ToLower()
34.             If ($ModuleLower -eq $ModuleName)
35.             {
36.                 #The module we are searching for is already imported. Create flag.
37.                 $ModuleIsLoaded = $True
38.             }
39.         }
40.         If ($ModuleIsLoaded -eq $False)
41.         {
42.             #Some modules currently imported but not $ModuleName. Let's import it.
43.             Import-Module $ModuleName
44.         Write-output "Imported Module"  |out-string
45.         }
46.     }
47.     else
48.     {
49.         #No modules currently imported. Let's import it.
50.         Import-Module $ModuleName
51.     Write-output "Imported Module"  |out-string
52.     }
53. }
54.  
55. #Function to build pw parameters
56. Function GET-Temppassword() {
57.  
58. Param(
59.  
60. [int]$length=10,
61.  
62. [string[]]$sourcedata
63.  
64. )
65.  
66.  
67.  
68. For ($loop=1; $loop –le $length; $loop++) {
69.  
70.             $TempPassword+=($sourcedata | GET-RANDOM)
71.  
72.             }
73.  
74. return $TempPassword
75.  
76. }
77.  
78. Function checkPassword()
79.     {
80.     $passLength = 8
81.     if ($pw.Length -eq $passLength)
82.         {$pw2test = $pw
83.         $isGood = 0
84.         If ($pw2test -match "[^a-zA-Z0-9]") #check for special chars
85.             { write-host "yes special"
86.             $isGood++ }
87.         If ($pw2test -match "[0-9]")
88.             { write-host "yes 0-9"
89.             $isGood++ }
90.         If ($pw2test -cmatch "[a-z]")
91.             { write-host "yes a-z"
92.             $isGood++ }
93.         If ($pw2test -cmatch "[A-Z]")
94.             { write-host "yes A-Z"
95.             $isGood++ }
96.         If ($isGood -ge 3)
97.             { $pw2test + " is a good password" | Out-Default
98.             #return $pw2test
99.             $pwchk = 'PASS'
100.         return $pwchk
101.             }
102.         Else
103.             { $pw2test + " is not a good password" | Out-Default
104.         #****    checkPassword
105.             $pwchk = 'FAIL'
106.         return $pwchk
107.             }}
108.     Else {$pw + " is not long enough - Passwords must be at least " + $passLength + " characters long"
109.        # **** checkPassword
110.         $pwchk = 'FAIL'
111.     return $pwchk
112.         }
113.     }
114.  
115. #This the arguments needed to pass, up to 4 can be passed
116.  
117. #User account to be modified
118. $USERNAME=$args[0]
119. #ACTION {UNLOCK,RESET}
120. $ACTION=$args[1]
121. #Password to set for user
122. $PASSWORD=$args[2]
123. #DISABLE FORCED PW CHANGE
124. $FRCPWCHG=$args[3]
125.  
126.  
127.  
128. # Always use Try to capture errors within the script, this helps to having process hung and troubleshoot better.
129.  
130. try
131. {
132.  
133.  
134. # Setup your Environment by adding Modules or PSSnapins
135.        
136.     # Imports Module if needed
137.         ImportModule "activedirectory"
138.  
139.      # Adds PS Snapin
140.         #Example:: if ( (Get-PSSnapin -Name "VMware.VimAutomation.Core" -ErrorAction SilentlyContinue) -eq $null ) { Add-PsSnapin "VMware.VimAutomation.Core" }
141.  
142. # Adding Help, it's great to have a help to provide more information to your users
143.    
144.     If ($USERNAME -eq "?") {
145.     write-output "This is the field that you input the end user account name in"
146.     exit
147.     }
148.     If ($ACTION -eq "?") {
149.     write-output "Input wether you want to UNLOCK an account or RESET the password"
150.     exit
151.     }
152.     If ($PASSWORD -eq "?") {
153.     write-output "Input the new password; must contain 8chars, Upper, Lower, Number, and special chars, no dictionary words. If left blank password will auto generate"
154.     exit
155.     }
156.     If ($FRCPWCHG -eq "?") {
157.     write-output "Input Yes, or No to require password change on next login"
158.     exit
159.     }
160.  
161.  
162.  
163. # MAIN ROUTINE
164.    
165.     # Peform your actions
166.     $USERNAME = '9roykr'
167.  
168.     [array]$grps=Get-ADUser $username -Property memberOf | Select -ExpandProperty memberOf | Get-ADGroup | Select Name
169.  
170.     $ADUser = Get-ADUser $USERNAME -properties *
171.     $NAGroups = 'Enterpris Admins','Domain Admins','Account Operators','Desktop Support','Exchange Organization Administrators'
172.     FOREACH($grp in $grps)
173.     {IF($grp.name -in $NAGroups){Write-output ("$USERNAME is in a group that your permissions are restricted from modifying, "+$grp.name)
174.         Break All
175.         }
176.     }
177.     #TRY{Get-ADUser -identity $USERNAME -SearchBase 'OU=Accounts,OU=Network Services,DC=crowley,DC=com'}catch{$RSTOU = $False}
178.     #IF($RSTOU -NE $FALSE){Write-output "$USERNAME is in an OU that your permissions are restricted from modifying"
179.     $usrchk= Get-ADUser $USERNAME | ? { ($_.distinguishedname -like "*OU=Accounts,OU=Network Services*") }
180.     if ($usrchk) {write-output "You are in restricted OU Group"
181.     Break All
182.     }  
183.  
184.    
185.     #Action to Unlock Account
186.     If($ACTION -like 'UNLOCK'){$lckstat = Unlock-ADAccount -Identity $USERNAME -PassThru|get-aduser -property 'lockedout'|select -expand 'lockedout'
187.     if($lckstat -eq $True){Write-Output "$USERNAME is still locked-out"}ELSEIF($lckstat -eq $False){write-output "$USERNAME has been unlocked"}
188.     }
189.  
190.     #Action to RESET Account
191.     If($ACTION -like 'RESET'){$lckstat = Unlock-ADAccount -Identity $USERNAME -PassThru|get-aduser -property 'lockedout'|select -expand 'lockedout'
192.     if($lckstat -eq $True){Write-Output "$USERNAME is still locked-out"}ELSEIF($lckstat -eq $False){write-output "$USERNAME has been unlocked"}
193.     #$PASSWORD = 'blahbla1'
194.     if($PASSWORD -eq ''){
195.     $ascii=$NULL;For ($a=33;$a –le 126;$a++) {$ascii+=,[char][byte]$a }
196.     $pw = GET-Temppassword –length 8 –sourcedata $ascii
197.     write-output "The new user password will be $pw"
198.     $securepw = ConvertTo-SecureString -string $pw -AsPlainText -force
199.     set-adaccountpassword -Identity $USERNAME -NewPassword $securepw -WhatIf
200.         }
201.     ELSE{
202.         $pw = $PASSWORD
203.         checkPassword
204.     if($pwchk -eq'PASS'){
205.     $securepw = ConvertTo-SecureString -string $password -AsPlainText -force
206.     set-adaccountpassword -Identity $USERNAME -NewPassword $securepw -WhatIf
207.     }
208.     ELSE{write-output 'passwod failed complexity check'}
209.         }
210.     }
211.  
212.  
213.     # to return your data use |out-string with your cmdlts to be return via script
214.  
215.         #Examples: Search-ADAccount –LockedOut |out-string
216.         #Examples: Get-VMHostService | where {$_.key -eq 'sfcbd-watchdog' } | out-string
217.  
218.     # for Console type output use: write-output "Some Information"
219.  
220.         #Examples: write-output "This is my action"
221.  
222.  
223.  
224. # Cleanup (Optional)
225.     #Remove-Module "module name"
226.     #Remove-PSSnapin "snapin name"
227.  
228.  
229.  
230. }
231. catch
232. {
233.         # Captures errors
234.         write-output "Exception Message: $($_.Exception.Message)"
235. }