Friday, September 7, 2012

Script for changing AD Attribute "PasswordNotRequired" for a list of users

Vulnerability came up recently where 90% of our user accounts in Active Directory were incorrectly setup with an attribute called "PasswordNotRequired" set to true. This would enable an Administrator to set a blank password for a user. This attribute is not configurable via the GUI, so PowerShell it!
 
First I needed to list out all the users with this attribute set. Active directory module has the command we will need for this task.

Get-ADUser -Filter * -Properties * | Select Name, DisplayName, PasswordNotRequired
 
This will list all the users and their settings for that particular attribute. Now I ended up Exporting this to CSV which can be done with the Export-CSV command. After which I was able to copy out the Name section of each user with the setting True to a text file.
 
Now to the meat of this little script.
 
The first line of this code I am getting the content of the text file I created. The contents of the text file look like this:
User1
User2
User3
 
$Users = Get-Content "C:\lists\userlist.txt"
 
Next is 4 lines of code that go through each user in the textfile and sets the setting "PasswordNotRequired" to "False"
 
Foreach ($User in $Users){
$Cmd = Get-ADUser -Identity $User
$Cmd.PasswordNotRequired = "FALSE"
Set-ADUser -Instance $Cmd}
 
This little 5 line script saved hours of time for my team. This is why I enjoy scripting with PowerShell.
 
Rich
 
 

No comments:

Post a Comment