how to validate default password policy when we adding new user in local user account creation using net user /add $username $password
I have validated the username existence with below command
$CheckUser=net user $UserName
if($CheckUser){
Write-OutPut "Username is already exists"
}
How would I check the password with default windows server password policy?
Related
I'm writing a PS script to change an AD account's password by:
grabbing current user password from a Key Vault
Create a PSCredential $credential using the user's username and password obtained from KV
Generate new password in plain text and convert to secure string $newpass
Running Set-ADAccountPassword:
Set-ADAccountPassword -Identity "testuser" -Reset -NewPassword $newpass -Credential $credential
This fails with "Set-ADAccountPassword: Access is denied". The $credential object contains the current user's credentials which are valid (I'm testing this in advance).
As I understand it users have SELF as able to change their own password, as they can just CTRL+ALT+DEL to reset it. In this case, this account is not allowed interactive logins (so I can't test in a PS terminal using RUNAS), and powershell would be an easy wait to change the password periodically.
Why am I getting access denied, and is there a way around this?
There are two types of password update operations natively supported by AD:
Password Reset
In this operation, permission to update the account password is granted to an administrative user who can then set it without having to know the existing password
Password Change
In this operation, the calling user supplies the existing password as an argument, this authenticating the change - this is what you want!
When you specific the -Reset switch parameter, Set-ADAccountPassword takes it to mean you want to perform a password reset.
To perform a password change instead:
Remove the -Reset switch
Pass the existing password value as an argument to the -OldPassword parameter
I am working on a PowerShell script that would run in a Task Scheduler.
The way I want it to work is:
Default value is set to force user to change password at next logon:
net user su /logonpasswordchg:yes
Now the code would be something like:
$password = Azerty123!
if $password is different from $password
switch password from "user must change password at next logon" to "Password never expires"
else leave value to change password at next logon
After multiple tests I figured that the 2 following values would need to be switched based on the current password
Set-LocalUser -Name "su" -PasswordNeverExpires:$true
Set-LocalUser -Name "su" -PasswordNeverExpires:$false
net user su /logonpasswordchg:yes
net user su /logonpasswordchg:no
Basically the script is deployed with Intune, creates a Task Scheduler, it would check the password value every day one per day, if the password has been changed, the password value is changed to never expire, as long as the password as never been changed, leave it as change password at next logon.
Can anyone help me on this ? sorry for my clumsy explanations
Alternative approach could be to change the password expiry setting globally on Windows system.
This will apply to all users and can be done prior specific user changed their password. It can be accomplished by running following command:
net accounts /maxpwage:0
Note: check comments section to the answer for in depth discussion of other approaches
I am trying to change password for my own account in AD using powershell. My account is just a regular account (no domain admin rights)
I tried net user, dsquery and powershell cmdlets, but all of them errors out "Access is denied". I think all of those requires admin rights.
Is there a way to change my own password using powershell or cmd ?
Why I am doing that?
We have 8 different AD domains and I have an account in each. With different password expiration policies it is very difficult to remember all the passwords. So I want to do a script that connects to each domain with my user account in that domain and changes the password. I'll repeat that for all the domains.
If you have the Active Directory PowerShell Module installed, this is a pretty easy task using Set-ADAccountPassword.
You can use the -Server parameter to supply a different Domain Controller name from each Domain to set the password on that Domain.
$DomainControllers = "Domain1DC","Domain2DC","Domain3DC"
$MyName = "MyUserName"
ForEach ($DomainController In $DomainControllers) {
Set-AdAccountPassword -Identity $MyName -Server $DomainController
}
Set-ADUserAccountPassword used this way will prompt you for the old password then the new password for each domain controller.
I have a script I'm writing that makes a connection to a SOAP service. After the connection is made, I need to pass in a the username/pass with every command I send. The problem I have is that when I use read-host to do this, my password is shown in cleartext and remains in the shell:
PS C:\Users\Egr> Read-Host "Enter Pass"
Enter Pass: MyPassword
MyPassword
If I hide it with -AsSecureString, the value can no longer be passed to the service because it is now a System.Security.SecureString object:
PS C:\Users\gross> Read-Host "Enter Pass" -AsSecureString
Enter Pass: **********
System.Security.SecureString
When I pass this, it does not work. I don't care about the passwords being passed to the service in cleartext, I just don't want them sticking around on a user's shell after they enter their password. Is it possible to hide the Read-Host input, but still have the password stored as cleartext? If not, is there a way I can pass the System.Security.SecureString object as cleartext?
Thanks
$Password is a Securestring, and this will return the plain text password.
[Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($Password))
You can save the password(input) as a variable and pass it to your service. If the code is run in a script or as a function, the variable containing the password will be deleted after it's done(they are stored in a temp. local scope). If you run the commands in the console(or dot-source the script like . .\myscript.ps1), the password variable will stay in the session scope, and they will be stored until you delete it or close the session. If you want to be sure the variable is removed after your script is run, you can delete it yourself. Like this:
#Get password in cleartext and store in $password variable
$password = Read-Host "Enter Pass"
#run code that needs password stored in $password
#Delete password
Remove-Variable password
To read more about how variables are stored in scopes, check out about_Scopes
There is a way to do this in PowerShell versions 6.x+:
$password = read-host -maskinput "Enter password"
, thanks to jborean93 for pointing this out to me.
Is there a way to create a user in Windows XP via Batch Script and even assign it administrator/limited user value?
Suppose the username is rased and password is pAsS
net user rased pAsS /add
net localgroup administrators rased /add
here user is added under administrators group.
Yes, you can create a user by running net user USERNAME PASSWORD /add (omit the PASSWORD if you do not wish to have a password for this account, use * for PASSWORD to require the user to enter a password at run time). This creates a "limited user"; if you wish to make the new user an administrator, run net localgroup Administrators USERNAME /add after creating the user.