I cant login

"My password isn't working!" ...  Can you reset it?" These words are typically heard at least once or twice a day by front line support at most places. No matter how much we try to inform and remind users about their expiring passwords, there will be those that forget to change it before it expires or end up locking themselves out one way or another (iPhone/Exchange anyone?)

AD functions in PowerShell

I have written a few AD functions in PowerShell. One of them gets information about a user and then passes that along to possible actions to take. The function I'm writing about is one of those actions. 

Requirements

  • Quest AD tools
  • Resolve-UserName function (will give the code for that below)
  • Set $foregroundColor to something you like so it looks pretty.

Actions!

What this function will do is take an account name (or ask you for one), and then give you 3 options.

  • Reset and flag for change
  • Reset and don't flag for a change
  • Just flag for reset on next logon (or unflag if already flagged)

Parameters

-actName (Account name to reset)

The Code

This is the code for the Resolve-Username function:

function Resolve-UserName {

    param ($Username, [switch]$Verbose=$false)

    if (!$Username) {
        $Username = Read-Host "Enter username" 
    }

    if($Verbose){ Write-Host "Attempting to resolve `"$Username`"..." }
    $ResolvedName = Get-QADUser $Username -IncludeAllProperties
    do{
        If ($ResolvedName.Length -gt 1) {
    
            Write-Host `n"Multiple users found for `"$Username`", please select the intended user."`n -ForegroundColor $foregroundColor
            
            $i = 0
    
            Foreach ($u in $ResolvedName) {
                Write-Host "$i -> " $u.Name
                $i++
            }
            $selUsr = Read-Host "Which #?"
            $ResolvedName = Get-QADUser $ResolvedName[$selUsr] -IncludeAllProperties
        }
        elseif($ResolvedName.Length -eq 0){
            Write-Host "User does not exist. Try again." -ForegroundColor Red
            $ResolvedName = Get-QADUser (Read-Host "Enter username") -IncludeAllProperties
        }
    }until($ResolvedName.length -eq 1)
    if($Verbose){ Write-Host "Resolved `"$Username`" to" $ResolvedName.SamAccountName }
    Return $ResolvedName
}

This is the code for the Reset-ADPassword function:

function Reset-ADPassword {

    param($actName)
    
    if(!$actName){$actName = Read-Host "Enter username"}
    $usrObj = Resolve-UserName $actName

    If ($usrObj) {    
        
        Write-Host `n"Password reset:" $usrObj.Name -ForegroundColor $foregroundColor
        
        Write-Host "1. Reset and flag"
        Write-Host "2. Reset and do not flag"
        Write-Host "3. Just flag (or unflag if flagged)"`n
        
    
        $psdOp = Read-Host "Please specify an option #" 
        Write-Host "Note: You will be prompted to confirm any option you select." -ForegroundColor $foregroundColor
    
        Switch ($psdOp)  {
    
            1 { 
                
                $resetTo = Read-Host "Reset password to" -AsSecureString
                $resetTo = $resetTo | ConvertFrom-SecureString
                $PlainTextPassword = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR( (ConvertTo-SecureString $resetTo) ))
                Set-QADUser $usrObj -UserPassword $PlainTextPassword -UserMustchangePassword $true -Credential $adminCredential -confirm }
    
            2 { 
                
                $resetTo = Read-Host "Reset password to" -AsSecureString
                $resetTo = $resetTo | ConvertFrom-SecureString
                $PlainTextPassword = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR( (ConvertTo-SecureString $resetTo) ))
                Set-QADUser $usrObj -UserPassword $PlainTextPassword -UserMustchangePassword $false -Credential $adminCredential -confirm }
    
            3 { 
                
                if ($usrObj.UserMustChangePassword -eq $true) {
                    Set-QADUser $usrObj -UserMustChangePassword  $false  -Credential $adminCredential -confirm }
                else { Set-QADUser $usrObj -UserMustchangePassword $true -Credential $adminCredential -confirm } }  
        }
    } 
}

Let me know if you have any questions or comments!