One of the most tedious day-to-day tasks for Active Directory administrators in medium to large organizations is the management of user accounts and their respective information, things such as resetting user passwords, clearing account lockouts, updating of phone numbers and additional information.
It’s true that in Windows Server 2003/2008, Active Directory Users and Computers allows you to perform a few of these tasks on multiple user accounts, but as it is in most cases with Microsoft programs, this ability is not as feature rich as we’d like it to be. This forces administrators to either begin scripting around, or revert to 3rd-party tools.
One of these time-saver tools is Password Control – a free tool written by David Wiseman (see his site link below). The tool makes it easy for helpdesk staff to reset passwords for Active Directory user accounts. Currently in beta, the latest version of this application also includes a Bulk Modify tool which will be of particular interest to system administrators. Bulk Modify allows you to update various Active Directory attributes, performing updates that previously would have been accomplished with scripts. As well as being simple to use, Bulk Modify has the added bonus of generating an XML log file that can be used to undo attribute modifications.
Password Control is simple tool that can be used by helpdesk staff and system administrators to reset user passwords. Simply type a username, enter a password and click the “Change Password” button.
If you don’t know the username you can use the “check username” button to find the user account. By default this will search the Surname (sn), Email (mail), DisplayName, Common-Name (cn), UserPrincipalName and UserName (sAMAccountName) properties of a user account. The search can be customized in the config file.
The “G” button can be used to automatically generate a password. There are various options available that control the format of the password generated (random characters, pass phrase and custom password mask).
Password Control also has the ability to unlock, disable and enable user accounts. There are many useful options that are not immediately obvious; from settings you can change in the application XML configuration file to extending the application with VBScript files.
Password Control is great for changing individual passwords but cumbersome if you need to change passwords for many user accounts – Bulk Password Control is the ideal tool for bulk password resets.
Bulk Password Control has powerful query capabilities to allow you to identify the user accounts you want to modify. You can select users from a group, organizational unit or you can use a custom/pre defined query. You can also type a list of user accounts or load them from a text file.
You can choose to let the application generate a unique password for each user account or you can type a single password to use for all user accounts. The data can be exported to a CSV file. Bulk Password Control also has options to unlock, enable and disable user accounts. You could easily use Bulk Password Control to unlock all the user accounts in your domain.
Bulk Modify is a powerful tool that allows system administrators to perform bulk updates to Active Directory attributes that would previously have been accomplished using scripts. For example, you can use Bulk Modify to ensure that the display name is set to “surname, firstname”. Bulk Modify supports a wide variety of attributes including terminal services attributes, account control attributes and custom attributes added by extending the schema. You can even use Bulk Modify to load photos into Active Directory!
The first step is to select the user accounts you want to modify in the “Bulk Password Control” dialog. You then launch the Bulk Modify application by clicking the “Modify Attributes” button. Bulk Modify has been designed to look similar to the user dialog in Active Directory Users and Computers – this will make it easy to find the attributes you want to modify.
To modify an attribute, enable the associated checkbox. You will then be allowed to type a new value in the textbox. Some attributes have an “intermediate” check state (checkbox is checked and grayed out) which can be used to clear an attribute.
Bulk Modify is made more powerful by its use of XML Placeholders. These can be used to base the modification on other AD attributes – setting the display name to “surname, firstname” for example. XML Placeholders also allow you to find and replace text and perform other types of text manipulation such as substring, uppercase and propercase.
One of the reasons you might choose to use Bulk Modify over writing a script is the logging and rollback facilities. You can undo the changes made by clicking the rollback button in the results dialog (pictured below).
Note: As always, it’s still advisable to keep a recent backup of your directory.
Please visit http://www.wisesoft.co.uk where you can you can learn more about Password Control. The website also includes a repository of scripts for system administration and some other tools that you might be interested in.