Set AD password and enable account

Last time we looked at creating new user accounts in Active Directory.  The barest of information was used to create the account. This did not include a password. The accounts were also created disabled.

We need to give the user a password and enable the account

if (-not (Get-Module ActiveDirectory)){            
  Import-Module ActiveDirectory            
}            
            
$ou = "OU=England,DC=Manticore,DC=org"            
            
$password = ConvertTo-SecureString -AsPlainText "Pa55W0rd1!" -Force            
            
"`nMicrosoft"            
$name = "UserA"            
Get-ADUser -Identity $name |            
Set-ADAccountPassword -NewPassword $password -Reset             
Enable-ADAccount -Identity $name            
            
$name = "UserB"            
$dn = "cn=$name,$ou"            
Set-ItemProperty -Path AD:\$dn  -Name UserPassword -Value "$password" -Force            
Set-ItemProperty -Path AD:\$dn  -Name useraccountcontrol -Value "512" -Force            
            
"`nQuest"            
$name = "UserC"            
$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "userid", $password            
            
Get-QADUser -Identity $name |            
Set-QADUser -UserPassword $cred.GetNetworkCredential().Password            
Enable-QADUser -Identity $name            
            
"`nScript"            
$name = "UserD"            
$dn = "cn=$name,$ou"            
$user = [adsi]"LDAP://$dn"            
$user.SetPassword($cred.GetNetworkCredential().Password)            
            
$user.userAccountControl = 512            
$user.SetInfo()

There are a few things that differ between these techniques

The Microsoft cmdlets expect a secure string. I’ve created this directly in the code but normally I would expect to use

$password = Read-Host “Enter Password” –AsSecureString

so that the password is presented dynamically

The AD provider expects values to be passed as strings – even the useraccountcontrol value is passed as a string – it is really an integer

The Quest cmdlet expects the password as a string – need to unravel the secure string as shown

The script also expects a string for the password but accepts the useraccountcontrol as an integer.

Hopefully by now you can see why I prefer to use the cmdlets. However working out how to do the task by script or the provider can enhance your knowledge of Active Directory’s general workings

About these ads
This entry was posted in PowerShell and Active Directory. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s