The free self service password reset guide is one of the coolest projects that we’ve covered. This easy task allows your users to securely reset their passwords and unlock their accounts! Best of all, users reset their password by text message. No need for extra hardware.
A few readers have asked for a Quest AD cmdlet version of this script that can be ran on any domain level.. Below is a modified script that solely uses the Quest AD cmdlets. If you haven’t set up a self service password resets, take 30 minutes and do it now!
At the top of the script, we have a configuration block. This block contains any variable that you will need to set for your domain. You will need a dedicated account with an email address. This account will be corresponding with your users so a strong password is recommended. Be sure to replace DOMAIN or DOMAIN.com with your domain name.
Next, you’ll need to download the Exchange Webservices tool and install it on the machine that will be running this script. That tool can be downloaded here. The script will reference that assembly.
The final configuration that you need to do is to edit this line containing Exchange2007_SP1 . Change the value to your Exchange Server version. This should work on Exchange 2007, 2010, and 2013.
Save the script and set it up as a scheduled task. Every time it runs, it will check the inbox of the resetuser. If a new message appears, it will extract the phone number from the message and query AD. If that phone number is found, it will reset that user’s password and email them the updated password.
And if you need an easy way to register the mobile number for your users, this self service Active Directory attribute editor walkthrough will help you out. If you have any questions at all, leave a comment below!
#Import Module Add-PSSnapin Quest.ActiveRoles.ADManagement #Configuration Block $SmtpServer = "MAIL.DOMAIN.COM" $ResetEmail = "reset@DOMAIN.COM" $Username = "ResetUser" $Password = "ResetPassword" $Domain = "Domain" $MailServer = "https://mail.DOMAIN.com/ews/exchange.asmx" #Download for file is here: http://www.microsoft.com/en-us/download/details.aspx?id=35371 [Reflection.Assembly]::LoadFile("C:\Program Files\Microsoft\Exchange\Web Services\2.0\Microsoft.Exchange.WebServices.dll") function Create-RandomString() { $aChars = @() $aChars = "a", "b", "c", "d", "e", "f", "g", "h", "i", "j", "k", "m", "n", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y", "z", "A", "C", "b", "D", "E", "F", "G", "H", "I", "J", "K", "L", "M", "N","P", "Q", "R", "S", "T", "U", "V", "W", "X", "Y", "Z", "2", "3", "4", "5", "6", "7", "8", "9" [int]$intUpperLimit = 10 $x = 0 $strString = "" while ($x -lt $intUpperLimit) { $a = Get-Random -minimum 0 -maximum $aChars.getupperbound(0) $strString += $aChars[$a] $x += 1 } return $strString } $email = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService([Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Exchange2007_SP1) $email.Credentials = New-Object Net.NetworkCredential($Username, $Password, $Domain) $uri=[system.URI] $MailServer $email.Url = $uri $inbox = [Microsoft.Exchange.WebServices.Data.Folder]::Bind($email,[Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Inbox) if ($inbox.UnreadCount -gt 0) { $PropertySet = new-object Microsoft.Exchange.WebServices.Data.PropertySet([Microsoft.Exchange.WebServices.Data.BasePropertySet]::FirstClassProperties) $PropertySet.RequestedBodyType = [Microsoft.Exchange.WebServices.Data.BodyType]::Text; # Set search criteria - unread only $SearchForUnRead = New-object Microsoft.Exchange.WebServices.Data.SearchFilter+IsEqualTo([Microsoft.Exchange.WebServices.Data.EmailMessageSchema]::IsRead, $false) $items = $inbox.FindItems($SearchForUnRead,10) #return only 10 unread mail items foreach ($item in $items.Items) { # load the property set to allow us to view the body $item.load($PropertySet) if($item.Body.text -Like "*") { $Phone = $item.From.address $Phone = $item.From.address.substring(0, $Phone.IndexOf("@")) $user = get-qaduser -MobilePhone $Phone If ($user -ne $null) { $PW = Create-RandomString if ($PW.length -gt 6) { Set-QADUser -identity $user.samaccountname -UserPassword $PW Unlock-QADUser -identity $user.samaccountname $PasswordAge = (Get-QADUser $user |select-object PasswordLastSet) if ($PasswordAge.PasswordLastSet -ge (Get-Date).AddMinutes(-1)){ $Body = "Password reset for " + $user.SamAccountName + " - " + $user.DistinguishedName send-mailmessage -to YOUREMAIL@domain.com -from $ResetEmail -subject "Password Reset" -body $Body -SmtpServer $SmtpServer send-mailmessage -to $item.From.address -from $ResetEmail -subject " " -body "Your password is now $PW. When at work, press CTRL + ALT + Delete to change your password." -SmtpServer $SmtpServer } } } else { send-mailmessage -to YOUREMAIL@domain.com-from $ResetEmail -subject "Invalid Phone number" -body "Phone number $Phone not found" -SmtpServer $SmtpServer send-mailmessage -to $item.From.address -from $ResetEmail -subject " " -body "Your phone number was not found. Please submit a technology request." -SmtpServer $SmtpServer } } $item.Isread = $true $item.Update([Microsoft.Exchange.WebServices.Data.ConflictResolutionMode]::AlwaysOverwrite) } }
Hi
Thanks for the above information, can users see an option for password rest and unlock account on the login screen of the computer.
i am looking for a self password rest and unlock account solution where users can see this option on the login screen of their computers and also they should be able to rest the password when they are working from home by a website.
Thanks
Sam.
Sorry Sam – this script doesn’t change the logon GUI. Specops Password Reset does but it is not free.