Showing posts with label account. Show all posts
Showing posts with label account. Show all posts

Tuesday, November 25, 2014

Resize User Photos and Import them into Active Directory Accounts


Resize User Photos and Import them into Active Directory Accounts using PowerShell and ImageMagick.

This script looks in a specified path for photos named with the EmployeeID attribute of the users in a specified OU, resizes the images to the correct size and then writes the images into the thubnailPhoto attribute of the users Active Directory account.

As always, no responsibility is accepted for it's use.

 param([string]$searchbase , [string]$imagepath)  
 #Import the ActiveDirectory PowerShell module  
 import-module ActiveDirectory  
 #Check for Mandatory Parameters  
 if (!$searchbase)  
      {  
      write-output 'Usage: ADImages {searchbase} {imagepath}'  
      write-output 'eg. ADImages "OU=Staff,OU=Users,DC=orgname,DC=com,DC=au" \\fileserver\Userimages'  
      exit  
      }  
 if (!$imagepath)  
      {  
      write-output 'Usage: ADImages {searchbase} {imagepath}'  
      write-output 'eg. ADImages "OU=Staff,OU=Users,DC=orgname,DC=com,DC=au" \\fileserver\Userimages'  
      exit  
      }  
 #Check if the Searchbase exists  
 $OUCheck = [adsi]::Exists("LDAP://$($searchbase)")  
 if ($OUCheck -eq "True")   
      {  
      write-output "Found Searchbase $($searchbase)"  
      }  
 else  
      {  
      write-output "Searchbase $($searchbase) not found"  
      exit  
      }  
 #Check that the Image Path exists  
 $ImageCheck = Test-Path $imagepath  
 if ($ImageCheck -eq "True")  
      {  
      write-output "Found Image Path $($imagepath)"  
      }  
 else  
      {  
      write-output "Image Path $($imagepath) not found"  
      exit  
      }  
 #Check for the ImageMagick Conversion Tool  
 $ToolCheck = Test-Path ".\ImageMagick\convert.exe"  
 if ($ToolCheck -eq "True")  
      {  
      write-output "ImageMagick tool found"  
      }  
 else  
      {  
      write-output "ImageMagick tool not found. Download from http://www.imagemagick.org/"  
      exit  
      }  
 #Create the Thumbnail directory if it doesn't exist  
 $DirCheck = Test-Path ".\ADThumbs"  
 if ($DirCheck -eq "True")  
      {  
      write-output "Thumbnail directory already exists"  
      }  
 else  
      {  
      write-output "Creating Thumbnail directory"  
      New-Item -ItemType directory -Path .\ADThumbs  
      }  
 #Get an array of users from the Searchbase  
 $UserList = Get-ADUser -Filter * -SearchBase $searchbase  
 Foreach ($User in $UserList)  
      {  
      #Get the EmployeeID Attribute  
      $EmpID = Get-ADUser -Filter * -SearchBase $User -Properties employeeID | select -expand employeeID  
      write-host "Looking for Employee Photo for User $($User) with ID $($EmpID)"  
      #Tests to see if the UserImages file exists  
      $FileCheck = Test-Path "$($imagepath)\$($EmpID).jpg"  
      if ($FileCheck -eq "True")   
           {  
           #Retrieves JPG files of the target user from the UserImages share  
           $jpgfile = "$($imagepath)\$($EmpID).jpg"  
           $newjpgfileName = ".\ADThumbs\$($EmpID)-AD.jpg"  
           write-output "Scaling $($jpgfile) to $($newjpgfileName)"  
           .\ImageMagick\convert $jpgfile -thumbnail 96 -gravity center -crop 96x96+0-15 +repage -strip $newjpgfileName   
           #Write the thumbnail photo back to the AD user Account  
           $photo = [byte[]](Get-Content $newjpgfileName -Encoding byte)  
           Set-ADUser $User -Replace @{thumbnailPhoto=$photo}  
           }  
      else  
           {  
           #User Image file not found  
           write-output "Employee ID $($EmpID) not found in $($imagepath)"  
           }  
      }
Posted by Sean Bradley at 9:24 PM 0 comments
Labels: , ,

Monday, October 17, 2011

Enumerating Indirect Group Memberships

A colleague asked me yesterday if I knew how to get a list of all direct AND indirect group memberships that a user had. He wanted to use this to estimate the Kerberos token size for users with large numbers of group memberships as this can cause access problems if it exceeds set limits.

I vaguely remembered that I had something like this in a script I wrote to enumerate the members of a group both directly and indirectly. It uses the functionality of the Remote Server Administration Tools. There's also a hotfix to correct the output. I dug out the script and revised it to provide what he required.

In its simplest form, the command to run is:


dsget user <fulldn> -memberof -expand

For example:

dsget user "CN=testuser,OU=Staff,DC=company,DC=com" -memberof -expand

This will provide a list of group memberships in fulldn format. To simplify it to SAM group names you can pipe the output to another dsget command for the groups:

dsget user <fulldn> -memberof -expand | dsget group -samid

You can also simplify the input if you pipe in the dsquery command for the user:

dsquery user -samid <samid> | dsget user -memberof -expand | dsget group -samid

For example:

dsquery user -samid testuser | dsget user -memberof -expand | dsget group -samid 


Edit: You can use the same technique to list the members of a group:
dsquery group -samid <Groupname> | dsget group -members | dsget user -samid -fn -ln
Also, be wary of pasting one of these command strings in Outlook, as it has the tendency to automatically change hyphens to the longer "dash", which is an invalid character if you copy it out of Outlook and paste it to the command prompt.

Posted by Sean Bradley at 10:34 PM 0 comments
Labels: ,

Thursday, September 30, 2010

Reset Passwords for all User Accounts in an OU

I realise that there's plenty of scripts floating around the net that already do this, but for me this was simply an exercise.

Note: I haven't gotten around to testing it yet.


' PasswordReset.vbs
' Resets all passwords within an AD Container
' Version 1.0
' 27 September 2010


Option Explicit
Dim objRootDSE, objOU, objUser
Dim strTargetOU, strForceReset, strEnAcct, strDNSDomain, strNewPass
Dim intCounter, intUACval, intPWLval


' Change strTargetOU to location of user accounts
strTargetOU = "MyContainer"


' Change strNewPass to the new password
strNewPass = "Password123"


' Change strForceReset to "Yes" in order to force users to reset passwords
strForceReset = "No"


' Change strEnAcct to "Yes" in order to enable disabled accounts
strEnAcct = "No"


' Int Values 
' See Microsoft KB305144 for UserAccountControl values
' Setting PwdLastSet value to 0 forces password reset
intUACval = 544
intPWLval = 0
intCounter = 0


Set objRootDSE = GetObject("LDAP://RootDSE") 
strDNSDomain = objRootDSE.Get("DefaultNamingContext")
strTargetOU = "OU=" & strTargetOU & ", " & strDNSDomain
set objOU =GetObject("LDAP://" & strTargetOU )


For each objUser in objOU
If objUser.class="user" then
objUser.SetPassword strNewPass
objUser.SetInfo


If strForceReset="Yes"
objUser.Put "pwdLastSet", intPWLval
objUser.SetInfo
End if
If strEnAcct="Yes"
objUser.Put "userAccountControl", intUACval
objUser.SetInfo
End if


intCounter = intCounter +1
End if
Next


WScript.Echo "New Password: " & strNewPass & vbCr & "Accounts changed: " & intCounter _
  & vbCr & "Password Change Forced: " & strForceReset & vbCr & "Disabled Accounts Enabled: " & strEnAcct
  


Posted by Sean Bradley at 4:26 PM 0 comments
Labels: , , ,

Thursday, January 28, 2010

Move and Disable Stale Computer Accounts

I started to write a script today to relocate and disable computer accounts that have an old PwdLastSet attribute. Before I got very far, I discovered that Richard Mueller of Hilltop Lab had already done quite an effective job of scripting this very task and has made the effort to refine it a few times too.

The script can be found at http://www.rlmueller.net/Programs/MoveOldComputers.txt

I modified it a little to suit my own purposes, but his script certainly got me 90% of the way there. Thanks for saving me the effort Richard!

Cheers,
Sean
Posted by Sean Bradley at 5:02 PM 1 comments
Labels: , , ,

Sunday, November 15, 2009

Local Account Manipulation

I had a request the other day from someone who knows some of my work. He had seen my scripts for manipulating local accounts on machines but couldn't make sense of them. (This was essentially because he was only seeing half of the system.) He asked if I could explain them in my blog, so here goes...

There are many different methods for manipulating local accounts on machines. Some companies make a profit from selling software that will go and talk to all of the machines and change passwords, accounts, group memberships, etc. Surprisingly, Microsoft has not yet integrated any system for easy management of local computer accounts into their own domain management systems. (Edit: Of course Microsoft has finally done something about this and you can now use Group Policy Preferences to manage local accounts quite easily. I thoroughly recommend using Group Policy instead of the method described here!)

Anyway, one way to achieve this is to use the Group Policy system. Computers run the Computer Startup Scripts with system administrative rights (Computer Configuration / Windows Settings / Scripts / Startup.) This enables the savvy administrator to run a script that can be used to manipulate local accounts.

What about the fact that the passwords may be exposed in the script? Some administrators will suggest that you do it in VBScript and then encrypt it. This is not a good idea because it is far too easy to decrypt these files. IMHO, it is much better to let Microsofts domain security protect it for you. (I can't believe I just said that. Scary but true!)

You can place these 'scriptlets' below in your scripts folder and pass the required parameters to them from your GPO. You secure your GPO by removing Authenticated Users from having read and apply group policies rights and giving Domain Computers read and apply group policy rights. Using this method, the users cannot see the new passwords, but the computers which are running the scripts can.

There is a caveat. The computers have to be processing group policies in order to run the scripts. This may be prevented by slow link detection, the behaviour of which can be modified. It may also not be processed by computers coming into the network by remote access. A user logging into the computer by remote access can process the scripts, but a user logging into your VPN or dial-up after logging in the computer using cached credentials will not process the scripts.

IDCHPASS.BAT: Used to Change a local user identity password.

@ECHO OFF
REM USAGE: IDCHPASS username newpassword
NET USER %1 %2

IDCREATE.BAT: Used to create a local identity.
@ECHO OFF
REM USAGE: IDCREATE username password
NET USER %1 %2 /ADD

IDDELETE.BAT: Used to delete a local identity.

@ECHO OFF
REM USAGE: IDDELETE username
NET USER %1 /DELETE
IDENABLE.BAT: Used to enable or disable a local identity.

@ECHO OFF
REM USAGE: IDENABLE username YES\NO
NET USER %1 /ACTIVE:%2

IDGROUP.BAT: Used to change the group membership of a local identity, or to create or delete local groups.

@ECHO OFF
REM USAGE: IDGROUP group ADD\DELETE username
REM USERNAME IS ADDED TO OR DELETED FROM GROUP
REM USERNAME CAN BE LEFT OFF TO ADD OR DELETE GROUPS
NET LOCALGROUP %1 %3 /%2


A shoutout goes to ripvankip for giving me something to write about! ;)

Sean
Posted by Sean Bradley at 4:53 PM 0 comments
Labels: , , , ,
Subscribe to: Posts (Atom)