1

Is it possible to change multiple users active directory passwords at once? Can I make a list of usernames and give them all the same password at once like below? Or is something like this not possible?

<cfset usernames = 'Sta1, Sta2, Sta3, Sta4, Sta5'>
<cfset password = 'newpassword17!'>

<cfloop list="#usernames#" index="username">
<cfexecute
    name="c:\windows\system32\cmd.exe"
    arguments="/c net user #username# #password# /domain"
    outputfile="C:\Users\administrator\Desktop\test.txt"
    timeout="90">
</cfexecute>
</cfloop>
David Brierton
  • 6,977
  • 12
  • 47
  • 104
  • Put the cfexecute inside a loop of the list of names. – Dan Bracuk Feb 15 '17 at 14:57
  • @DanBracuk like this? (above) – David Brierton Feb 15 '17 at 15:09
  • Looks good in theory. What happened when you tried it? Oops, the spaces after the commas have to go away. – Dan Bracuk Feb 15 '17 at 15:29
  • dont have permissions im still trying to figure out that portion unfortunately :(. only works when im on the server on the command prompt http://stackoverflow.com/questions/42234407/cfexecute-assigning-it-to-run-with-administrator-rights – David Brierton Feb 15 '17 at 15:31
  • I know that the OP is using ColdFusion (which I use a lot as well) but this task might work better as a PowerShell script. – Scott Jibben Feb 15 '17 at 20:38
  • @ScottJibben Do you have an example i could see? – David Brierton Feb 15 '17 at 20:42
  • In regards to "permissions"; the ColdFusion App Server usually runs as a "Local System Account" on Windows servers. You may have to create a special user account to run this service under in order to have the permissions that you desire. There are a few guides out there for CF security for doing this but most of them are for granting limited rights for security purposes. Search for "ColdFusion Server Lockdown Guide by Pete Freitag" for more info. – Scott Jibben Feb 15 '17 at 20:47
  • @DavidBrierton Here is the PowerShell function that you'd use to set an AD User password: https://technet.microsoft.com/en-us/library/ee617261.aspx. A PowerShell script would be very similar to the code that you already have. If you'd like a sample script as an answer, let me know. – Scott Jibben Feb 15 '17 at 20:53
  • yea can you submit a sample with my code as an answer so i can see how powershell works? – David Brierton Feb 15 '17 at 21:00

1 Answers1

1

The OP was looking at a ColdFusion solution but did request this PowerShell example in the comments. So, please don't give negative ratings because this does not match the OP request.

@DavidBrierton, please add the PowerShell tag to your question so others may find this answer.

Note that this PowerShell script is for a modern implementation of PowerShell. I tested it on PowerShell 5.1 but it will probably work on older versions of PowerShell. The "install RSAT-AD-PowerShell feature" line might need to be tweaked if you are using an older Windows Server. I included a URL for install instructions from Windows 7 through Windows 2012 R2 if it is needed.

Another Note: PowerShell upgrades are free and you can upgrade to version 5.1 by getting the software here: https://www.microsoft.com/en-us/download/details.aspx?id=54616

The first line of code in this sample will display your installed version of PowerShell.

#display your version of PowerShell
$PSVersionTable.PSVersion

#install the RSAT-AD-PowerShell feature on Windows Server 2012 R2
#Source: https://4sysops.com/archives/how-to-install-the-powershell-active-directory-module/
Add-WindowsFeature RSAT-AD-PowerShell

# create array of usernames
$arrUserNames = @("Sta1", "Sta2", "Sta3", "Sta4", "Sta5")

# assign variable with new password
$password = "newpassword17!"

# loop over usernames and assign a new password
($arrUserNames).split(" ",[StringSplitOptions]'RemoveEmptyEntries') | foreach {
    Write-Host "Changing password for: $_"
    Set-ADAccountPassword -Identity $_ -Reset -NewPassword (ConvertTo-SecureString -AsPlainText $password -Force)
}
Scott Jibben
  • 2,229
  • 1
  • 14
  • 22
  • 1
    The programming language is not nearly as relevant as the lack of permission. – Dan Bracuk Feb 16 '17 at 12:07
  • 1
    Yes, the root problem was with permissions (and I did provide a link on how to address that), but you have to ask... Should the ColdFusion App Server have that many security rights? If ColdFusion is hacked (or abused internally), aren't you opening the door for further abuse/exploits? Microsoft PowerShell has been developed to automate these kinds of tasks. This task could have been developed using SQL Server with xp_cmdshell. Would it work? Yes. Good idea? Probably not. – Scott Jibben Feb 16 '17 at 23:04