VB script to unlock a user account in AD

jamesd

Found this script online - it may solve my problems here at a site with 50 users where they keep locking their account after 5 unsuccessful logins.
Is there anyone here that have a look at this script before I put it onto a users pc

username=inputbox("Enter username:")
if username = "" then wscript.quit

ldapPath = FindUser(username)

if ldapPath = "Not Found" then
wscript.echo "User not found!"
else
set objUser = getobject(ldapPath)
if isAccountLocked(objUser) then
objuser.put "lockoutTime", 0
objUser.setinfo
wscript.echo "Account Unlocked"
else
wscript.echo "This account is not locked out"
end if
end if


Function FindUser(Byval UserName)
on error resume next

set objRoot = getobject("LDAP://RootDSE")
domainName = objRoot.get("defaultNamingContext")
set cn = createobject("ADODB.Connection")
set cmd = createobject("ADODB.Command")
set rs = createobject("ADODB.Recordset")

cn.open "Provider=ADsDSOObject;"

cmd.activeconnection=cn
cmd.commandtext="SELECT ADsPath FROM 'LDAP://" & domainName & _
"' WHERE sAMAccountName = '" & UserName & "'"

set rs = cmd.execute

if err<>0 then
wscript.echo "Error connecting to Active Directory Database:" & err.description
wscript.quit
else
if not rs.BOF and not rs.EOF then
rs.MoveFirst
FindUser = rs(0)
else
FindUser = "Not Found"
end if
end if
cn.close
end function

Function IsAccountLocked(byval objUser)
on error resume next
set objLockout = objUser.get("lockouttime")

if err.number = -2147463155 then
isAccountLocked = False
exit Function
end if
on error goto 0

if objLockout.lowpart = 0 And objLockout.highpart = 0 Then
isAccountLocked = False
Else
isAccountLocked = True
End If

End Function

ttm

Just think about what you are doing here?

Are you going to let the users reset their own accounts? What rights are needed to run this script?

If this is just one user you are allowing to unlock the accounts then why not give them the admin tools and delegate the right to unlock accounts. Its whats AD is all about ;-)

cance

i dont get it... why not delegate control to a user? as stated above if the user has the ability to run the script they have the ability to use active directory users and computers and the ability to unlock accounts.

calex71

might be worth looking at why they actually lock out the accounts so often maybe??

Do you have a very strict password policy in place that requires super strong passwords?? or they are foced to change them too frequently??

I'd be looking to the cause before implementing solutions here OP

jamesd

Yes complex passwords are in use ( 6 characters with min of one capital and a min of one number in the password) and the lockout is after 5 bad attempts to login.

seamus

I think some edumaction is required.

5 attempts is more than enough. Why are so many people locking out their accounts?

We have 2000 users here with complex passwords in use, lockout after 3 attempts and our helpdesk only gets between 20 and 40 unlock requests per day. That's 1% - 2% of the userbase.

I would be wary of giving users access to unlock eachother's accounts. You may as well switch off account locking.

ttm

jamesd wrote: »

Yes complex passwords are in use ( 6 characters with min of one capital and a min of one number in the password) and the lockout is after 5 bad attempts to login.

Thats not a complex password by most peoples definition.

It would allow for example a user to have a password like Password1, Password2 etc hardly complex.

Are you sure the users are locking themselves out? Reason for the lockout is to prevent password guessing by a hacker. So is someone trying to log in as someoene else and locking the account out. You sould be logging all these lockouts on the server so you can see which PC the loggin attempts came from in the Security Event Log.

jamesd

Its a hospality sector business so there are many differnet shifts and different nationalitys working on the computers, someone always owns up for locking out the account and its either from forgetting the password or their earlier shift changing the password and not telling them ( passwords required to be changed every 30 days)

seamus

Yeah, that's a tough one.

I'm assuming (seeing as people are changing passwords) that you're using a small group of accounts, (such as "reception1", "reception2", etc) as opposed to each user having their own account?

It'd be tough to give recommendations without knowing the exact setup. I'm also confused as to how you expect them to run the reset/unlock script if their account is locked out and they can't access a PC.

Long-term, it might be worth looking at smartcard technology - that is, each user gets a smart card which needs to be inserted into the machine in order to unlock/log in, and you have a set number of accounts with a longer password period, or maybe have IT reset them on a monthly/two-monthly basis and notify everyone. When a user walks away from their machine, they take their card with them and the machine locks automatically.

In fact, having I.T. reset the passwords manually on a periodic basis may be the best solution - this ensures that no-one resets it to something random and forgets to tell everyone.

ttm

seamus wrote: »

Yeah, that's a tough one.

I'm assuming (seeing as people are changing passwords) that you're using a small group of accounts, (such as "reception1", "reception2", etc) as opposed to each user having their own account?

It'd be tough to give recommendations without knowing the exact setup. I'm also confused as to how you expect them to run the reset/unlock script if their account is locked out and they can't access a PC.

Long-term, it might be worth looking at smartcard technology - that is, each user gets a smart card which needs to be inserted into the machine in order to unlock/log in, and you have a set number of accounts with a longer password period, or maybe have IT reset them on a monthly/two-monthly basis and notify everyone. When a user walks away from their machine, they take their card with them and the machine locks automatically.

In fact, having I.T. reset the passwords manually on a periodic basis may be the best solution - this ensures that no-one resets it to something random and forgets to tell everyone.

I'd have to agree with all that as I was writing the much the same as a reply when my inbox indicated seamus had beaten me to it.

I was going to add you could leave the users that have there own accounts with the domain password policy as is and change the passwords of the multiuser accounts at the account level to no allow the passwords to be changed, then change them manually once a month. If all the multiuser accounts are in one group then you can lock that group down with a policy that only allows them access to apps and data they need.

jamesd

What I had planned for to have 1 user with rights to unlock accounts and nothing else - they could then be contacted by a locked user to unlock accounts.

ttm

jamesd wrote: »

What I had planned for to have 1 user with rights to unlock accounts and nothing else - they could then be contacted by a locked user to unlock accounts.

Fair enough - do it. No need for a script though. Also delegate a PC for this admin role and install the Admin tools. Set up a MMC for Users and Computers and stick a shortcut to it on the desktop. Even though the tools are available the user won't be able to do anythign you havn't delgated them rights for.