How Can I Change a User’s Password?

Avatar

Hey, Scripting Guy! Question

Hey, Scripting Guy! How can I change a user’s password using a script?

— GO

Spacer Hey, Scripting Guy! Answer Script Center

Hey, GO. You didn’t indicate whether you wanted to change the password for a local user or for an Active Directory user. But that’s OK: the processes are so similar we’ll go ahead and show you how to do both. It’s like getting two Hey, Scripting Guy! columns for the price of one.


Regardless of whether you want to change a local user password or an Active Directory user password you need to go through a two-step process. First you bind to the user account in question, and then you use ADSI’s SetPassword method to assign the user a new password. That’s it: two steps and you’re done.


To prove it, let’s start by changing the password for a local user. In the following script, we bind to the kenmyer user account on the computer atl-ws-01 and assign Ken the password i5a2sj*!:

Set objUser = GetObject(“WinNT://atl-ws-01/kenmyer”)
objUser.SetPassword(“i5A2sj*!”)

That’s the whole script right there: bind to the user account, call the SetPassword method, passing SetPassword the user’s new password. The only thing to watch out for is the way you format the provider name. It has to be WinNT, with the W and the NT in uppercase letters. Write that out in any other way – for example, winnt – and the script will fail. This is one of the very rare times in which case-sensitivity is important in VBScript. Other than that, there’s nothing to it.


Of course, you might be thinking, “Yeah, they start out with a local user script because local user accounts are so simple compared to Active Directory user accounts. Just wait until they try to change the password for an Active Directory user account.” Well, the waiting is over; here’s a script that changes the password for the kenmyer user account in the domain fabrikam.com:

Set objUser = GetObject(“LDAP://cn=KenMyer,ou=Finance,dc=fabrikam,dc=com”)
objUser.SetPassword(“i5A2sj*!”)

That’s right: it’s remarkably similar to the script for changing a local user password. The only difference is that we use the LDAP provider to bind to the user account (the LDAP provider is used when working with Active Directory and the WinNT provider is used when working with local accounts and Windows NT 4.0 domains). And, of course, the path to the actual account will vary depending on whether the account is stored locally or in Active Directory. But other than that the two scripts are identical.


We should mention that you can change any user account with these scripts, including the local Administrator account. Just replace kenmyer with Administrator:

Set objUser = GetObject(“WinNT://atl-ws-01/Administrator”)
objUser.SetPassword(“i5A2sj*!”)

In fact, as long as we’re at it, let’s give you three columns for the price of one. A question we get asked all the time is this: How do I change the local Administrator password for all the computers in an OU? Well, here’s your answer:

Set objOU = GetObject(“LDAP://OU=Finance, DC=fabrikam, DC=com”)
objOU.Filter = Array(“Computer”)

For Each objItem in objOU
strComputer = objItem.CN
Set objUser = GetObject(“WinNT://” & strComputer & “/Administrator”)
objUser.SetPassword(“i5A2sj*!”)
Next


So what are we doing in this script? Well, we’re binding to the Finance OU in fabrikam.com. We’re then applying a filter to the collection we get back to make sure that we’re dealing only with computer accounts. After we’ve applied the filter, we loop through the collection of computer accounts. We grab the CN (essentially the NetBIOS name) for the first computer and store the name in the variable strComputer. We then connect to the Administrator account on that machine and change the password. The script loops around and repeats the process for the second computer in the collection, and then continues looping around and changing passwords until it’s hit every computer in the OU.


We know. But we won’t tell your boss how easy this is. Let him or her think you’re a real genius when you tell them you’ve discovered a way to automatically change all the local Administrator passwords on all the computers in an OU. The fact that it really takes just a few simple lines of code will be our little secret. (Trust us: we’ve never told our bosses how easy this is, either!)



Avatar

Follow    

No Comments.