3 Replies Latest reply on Jul 6, 2011 12:07 PM by Milton Stamper

    Change/reset domain password & encryption

    Milton Stamper

      This might be less of a scripting question and more of a BL knowledge/Windows knowledge issue, but it has me stumped. I have a BLPackage that changes the local password below. I'm making sure the userid is unlocked before proceeding (net user /active:yes) with an external command. The second part of this first job is to change the password. I'm using a local user object set to modify and I've set the ??PASSWORD?? variable to an encrypted string (as well as setting the ??USER?? value to a simple string). You can see that the log entry says "Processing asset WINUSER." That is where the password change is actually taking place and no password string, encrypted or not, is ever entered in the log.


      Executing command: "net user [myusername] /active:yes" "

      [stdout: 1]   C:\tmp\stage\2361b5d15d6032bfbf00578b96409736>chcp 1252  1>NUL   

      C:\tmp\stage\2361b5d15d6032bfbf00578b96409736>net user [myusername] /active:yes 

      The command completed successfully.    

      Processing asset WINUSER

      Apply Succeeded


      In this second instance where I'm changing the domain password, there is not a domain user object that I can put into the BLPackage like I put into the local user password change package. The following BLPackage works flawlessly using the external commands, but the password is passed to the script (and to this log and the log on the server unencrypted). You can see in the first command that the password is encrypted within the net user command when the variables are passed to the command, but the unencrypted value is shown in the logs.


      I've obviously not passing my real username or password.


      Is it even possible to do what I'm attempting to do on the domain controllers in this manner, or am I going to have to go about it via scripting of some sort?


      The ability to run this is still held tightly within the system admin group but we eventually want to hand over password resets/unlocks, etc. to the helpdesk group and it would be an even greater security risk than it is now if they were able to see the cleartext passwords w/in the logs.


      Executing command: "net user [myusername] /active:yes /domain net user [myusername] *** /domain"

      [stdout: 2]   C:\tmp\stage\385383cda62e33f0853ab941a5b6c9ae>chcp 1252  1>NUL

      [stdout: 2]   C:\tmp\stage\385383cda62e33f0853ab941a5b6c9ae>net user [myusername] /active:yes /domain

      [stdout: 2] The command completed successfully.     

      C:\tmp\stage\385383cda62e33f0853ab941a5b6c9ae>net user [myusername] [mycleartextpassword] /domain

      [stdout: 2] The command completed successfully.   

      Apply Succeeded