Active Directory, Powershell, Scripting

Reset passwords for Active Directory Users

Leave a comment

Reset and manage your Active Directory users' Passwords

Active Directory is one of the most esential and important tool in any company whether small or big. In most cases big companies have uncountable amount of tools to maintain and protect users and their credentials however almost most of those companies are not prepared to the time when their systems have been compromised or to say the least their servers have been hacked or encrypted by ransomware which is something we hear very often nowadays like the case with Louisiana Hospital that was attacked by Ransomware exposing the data of 270000 patients. 

Realistic scenario

What if your users passwords were compromised and you’re not sure who is still safe or not but you need to act as fast as possible? 

To act fast, I created a script that would generate a complex 32 Char long password with 4 different Non Alphanumeric Characters using the System.Web.Security.Membership  class. here’s an example of this password:

81Q:#_#E-QVZ-(1m&VS1LKpbzwR+8Em%

The script details

The script will first check if you have the Powershell Get and ImportExcel Module installed, if not it’ll ask you to install it or not. 

You will need to amend few things

1- The path to reflect where you want to save the Logs, CSV and Excel sheet. as of now it’s in c:\SyncReports. 

2- Importing users, In the script I am grabbing users directly from a specific OU in AD. so you’ll need to decide how you want to do it. I have added another line in case you’re planning to 

3- The password reset command is setup with -whatif parameter for you to test this before you run it. so just remember to remove it when you’re done with the changing and testing.

I have added mailbody and send-message command to send the excel as an attachment along with the excel password protection. 

Running the script will result in the following

Once you get the Excel sheet and try to open it, you will realize that it’s password protected. The password should be in the email body that’s sent in the script.

Excel sheet result will be looking as follows:

The script
The script 90%
#This script will generate randdom complex passwords for all AD users

#Using Time class and start reporting
$TimeStamp = [datetime]::Now.ToString(“MM-dd-yyyy-HH-mm”)
Start-Transcript -Path C:\SyncReports\Logs\Logs_$TimeStamp.txt -IncludeInvocationHeader

#Generate report
$Report = [System.Collections.Generic.List[Object]]::new()

#Check if Excel Module is installed, if not it’ll ask to install it

##Check Protocol and Setting Secure Connectivity

[Net.ServicePointManager]::SecurityProtocol
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls, [System.Net.SecurityProtocolType]::Tls11,[System.Net.SecurityProtocolType]::Tls12

#Install PowershellGet and ImportExcel Modules
if (Get-Module -ListAvailable -Name PowershellGet) {
    Write-Host “PowershellGet exists”
} else {Install-Module PowershellGet -Force}
if (Get-Module -ListAvailable -Name ImportExcel) {
    Write-Host “ImportExcel exists”
}
else {
    Write-host “Module does not exist, Would you like to install it?”
    $options = [System.Management.Automation.Host.ChoiceDescription[]] @(‘&Yes’, ‘&No’)
    if(0 -eq $host.UI.PromptForChoice(‘Install?’ , ‘Would you like to install ImportExcel’ , $Options,0)){
        Write-Host “Installing Excel Module”… -fore green
        Install-Module -Name ImportExcel
        return
    }
}

# Import System.Web assembly
Add-Type -AssemblyName System.Web

#Defining where to get users from:
$Users = Get-ADUser -SearchBase “OU=Moh10ly_Users,DC=moh10ly,DC=local” -Filter * -Properties *
#$Users = Import-Csv “C:\SyncReports\Users.csv”
foreach ($User in $Users){
       
        $UID = $User.UserPrincipalName
        $ObjectProp = Get-ADUser -Filter {(Mail -like $UID) -or (UserPrincipalName -like $UID)} -Properties *

        #Generate New Password
        $NewPassword=[System.Web.Security.Membership]::GeneratePassword(32,4)
        $Password= ConvertTo-SecureString $newPassword -AsPlainText -Force
        $TEXTO = “$newPassword”
        $ENCODED1 = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($TEXTO))
       
        $Name = $ObjectProp.Name
        $SAM = $ObjectProp.SamAccountName

        if($SAM){
 
                   
                         $ReportLine = [PSCustomObject][Ordered]@{
                            DateandTime                 = $TimeStamp
                            UPN                         = $ObjectProp.UserPrincipalName
                            DisplayName                 = $ObjectProp.Displayname
                            Email                       = $ObjectProp.Mail
                            Encoded                     = $ENCODED1
                            Password                    = $newPassword
                            Error                       = $ObjectProp.Exception.Message
                            }
                           
                            $Report.Add($ReportLine)
           
            #Wait for Email to send
            #Start-Sleep -Seconds 15

            #Resetting user’s password
            Set-ADAccountPassword -Identity $User.SamAccountName -NewPassword $Password -WhatIf

        }
    else {$Error = Write-Host -f Red “$($User) Couldn’t be found”    
    #send-mailmessage -from “admin@skybirdtravel.com” -to “admin@skybirdtravel.com” -subject “Password reset didn’t work for $($User.UserprincipalName) on $TimeStamp” -body “$Error” -Priority High -smtpServer mailcleaner.cloudapphost.net}
    }
}
Stop-Transcript
Write-Host (“{0} Users processed” -f $Users.count)
#$Report | Out-GridView
$ExcelPassword =[System.Web.Security.Membership]::GeneratePassword(32,4)
$Report | Select-Object UPN,Displayname,Email,Encoded,Password | Export-Csv -NoTypeInformation “C:\SyncReports\UserReset_$TimeStamp.csv”
$Report | Export-Excel “C:\SyncReports\UserReset_$TimeStamp.xlsx” -WorksheetName Users -TableName Users -AutoSize -Password “$ExcelPassword”
$Exported = “C:\SyncReports\UserReset_$TimeStamp.xlsx”
$MailBody = “
            <html><body>
            <font color=’006400′> Dear Team, Please find attached the list of users and their passwords encoded … `
            The file is protected with password // $ExelPassword // If any issue you can send an email to support@domain.com .</font>
            <body><html>
            “
$CC = @(‘info@moh10ly.com’)

#Get-ChildItem $Exported | send-mailmessage -from “admin@domain.com” -to “report@domain.com” -Cc $CC -subject ” User Passwords List for the date $date” -body “$MailBody” -Priority High -smtpServer relay.domain.com -BodyAsHtml

Finally:

I have added this script to github, so feel free to comment or add your contribution if needed.

https://github.com/moh30ly/powershell/blob/main/ADPasswordChange

Leave a Reply

Your email address will not be published. Required fields are marked *