mbt masai
 
Welcome !
         

                                
After experiencing a lot of down time, We decided to move this site to CrystalTech.com. CrystalTech.com is powered by only the finest Windows servers providing the best performance, reliability, and value anywhere.

 AD Admin Accounts Password Monitoring and Control - Compliance with SOX/FIT Requeriment

Author Message
jeferson.propheta

  • Total Posts : 21
  • Scores: 0
  • Reward points : 0
  • Joined: 8/28/2007
  • Status: offline
AD Admin Accounts Password Monitoring and Control - Compliance with SOX/FIT Requeriment Thursday, September 02, 2010 6:11 AM (permalink)
0
'*************************************************************************************************
'* Set Admin Account to Expire                                                                   *
'* wrote by: Jeferson Propheta                                                                   *
'*************************************************************************************************
'* Last Update 09/02/2010 - Jeferson Propheta                                                    *
'*************************************************************************************************
'* Script Functions:                                                                             *
'*    - Retrive Users From LDAP Connection                                               *
'*    - Notify User for Expiration                                                       *
'*    - Set Account to Expire                                                            *
'*    - Disable Account                                                                  *
'*************************************************************************************************
'ON ERROR RESUME NEXT
Const ForWriting = 2
Const ADS_UF_ACCOUNTDISABLE = 2
'*************************************************************************************************
'* Distinguished Container Name                                                                  *
'*************************************************************************************************
strContainer   = "OU=Accounts,OU=AD Admins,"
'*************************************************************************************************
'* Email Settings                                                                                *
'*************************************************************************************************
Set SMTPMail=CreateObject("CDO.Message")
    SMTPMail.From    = "ActiveDirectorySecurityNotification@yourcompany.com"
    SMTPMail.Configuration.Fields.Item ("[link=http://schemas.microsoft.com/cdo/configuration/sendusing]http://schemas.microsoft....onfiguration/sendusing")=2[/link]
    SMTPMail.Configuration.Fields.Item ("[link=http://schemas.microsoft.com/cdo/configuration/smtpserver]http://schemas.microsoft....nfiguration/smtpserver")="smtpRelayServer.yourcompany.com[/link]"
 SMTPMail.Configuration.Fields.Item ("[link=http://schemas.microsoft.com/cdo/configuration/smtpserverport]http://schemas.microsoft....uration/smtpserverport")=25[/link]
 strAdminMail     = "Jeferson.Propheta@yourcompany.com, Scott.Mikesell@yourcompany.com"
'*************************************************************************************************
'* LDAP Connection Root plus Distinguished Container Name                                        *
'*************************************************************************************************
Set    objRoot = GetObject("LDAP://RootDSE")
        strDNC = objRoot.Get("DefaultNamingContext")
Set  objDomain = GetObject("LDAP://" & strContainer & strDNC)
'*************************************************************************************************
'* Main Call                                                                                     *
'*************************************************************************************************
Call enummembers(objDomain)
'*************************************************************************************************
'* Function to Retreive users informations                                                       *
'*************************************************************************************************
Sub enumMembers(objDomain)
'*************************************************************************************************
'* Going Through the Collection                                                                  *
'*************************************************************************************************
For Each objMember In objDomain
'*************************************************************************************************
'* If not User object, move on                                                                   *
'*************************************************************************************************
If ObjMember.Class = "user" Then
'*************************************************************************************************
'* Users Information Collection                                                                  *
'*************************************************************************************************
SamAccountName  = ObjMember.samAccountName
DisplayName   = objMember.displayName
EmailAddr   = objMember.mail
UserDN    = objMember.distinguishedName
Office    = objMember.physicalDeliveryOfficeName
PassLastSet   = objMember.PasswordLastChanged
description   = objMember.description
whenCreated   = objMember.whenCreated
whenChanged   = objMember.whenChanged
logonCount   = objMember.logonCount
AccountisDisabled = objMember.AccountDisabled
strDaystoChange  = DateDiff("d", objMember.PasswordLastChanged,Now())
strDaysRemaing  = DateDiff("d", strDaystoChange,30) '* -1
strSetChange  = "False"
strDisable   = "False"
stradtMessage  = ""
strRecipient  = ""
'*************************************************************************************************
'* Conditions for Account Management and Notification                                            *
'*  Start Notification with 25 Days                          *
'*  Force Account to Change Password and Notify Admins with 30 Days         *
'*  Disable Account and Notify Both Admins and user's Manager with 40 Days       *
'*************************************************************************************************
If strDaystoChange > "25" Then
           Select Case strDaystoChange
    Case "30" :
      strSetChange   = "True"
      strRecipient   = strAdminMail
      
    Case "40" :
      Set objUser         = GetObject ("LDAP://" & UserDN )
      On Error Resume Next
      Set objUserManager  = GetObject ("LDAP://" & objUser.manager )
      ManagerMail    = objUserManager.mail
      On Error Goto 0
      strRecipient   = strAdminMail & ", " & ManagerMail
      strDisable     = "True"
      
   End Select 
         If strDaystoChange > "31" And strDaystoChange < "40" then
     Set objUser         = GetObject ("LDAP://" & UserDN )
     On Error Resume Next
     Set objUserManager  = GetObject ("LDAP://" & objUser.manager )
     ManagerMail    = objUserManager.mail
     On Error Goto 0
     strRecipient   = strAdminMail & ", " & ManagerMail
     
   End IF
'*************************************************************************************************
'* In Case Account Mail is Null Notify Admins                                                    *
'*************************************************************************************************
  If EmailAddr = "" then
     strRecipient   = strAdminMail
  End IF
'*************************************************************************************************
'* Set Password to Expire and Build New Mail Body Message                                        *
'*************************************************************************************************
  If strSetChange   = "True" then
           stradtMessage  = "<font face=" & Chr(34) & "Tahoma" & Chr(34) & "style="& Chr(34) &"font-size: 8pt" & Chr(34) & "color=" & Chr(34) & "#FF0000"& Chr(34) &"> <h5><b>Your Account has been Set to Expire, please change you password</b></h5><br><br>"  
     Set objUser = GetObject ("LDAP://" & UserDN )
               objUser.Put "pwdLastSet", 0
               objUser.SetInfo
  End If
'*************************************************************************************************
'* Disable Account and Build New Mail Body Message                                               *
'*************************************************************************************************
  If strDisable         = "True" then
           stradtMessage      = "<font face=" & Chr(34) & "Tahoma" & Chr(34) & "style="& Chr(34) &"font-size: 8pt" & Chr(34) & "color=" & Chr(34) & "#FF0000"& Chr(34) &"> <h5><b>Your Account has been Disabled due password expiration, Please contact your Active Directory Administrator<h/5></b><br><br>"
   Set objUser        = GetObject ("LDAP://" & UserDN )
                intUAC = objUser.Get("userAccountControl")
           objUser.Put "userAccountControl", intUAC OR ADS_UF_ACCOUNTDISABLE
           objUser.wWWHomePage = "Disabled by Users Password Review - " & Now()
           objUser.SetInfo
   End IF 
'*************************************************************************************************
'* Writing E-mail Subject                                                                        *
'*************************************************************************************************
If strSetChange = "True" then
   SMTPMail.Subject = "Active Directory Security Notification - Account was set to Change Password"
ElseIF strDisable = "True" then 
   SMTPMail.Subject = "Active Directory Security Notification - Your OU Admin Account has been Disabled"
Else  
   SMTPMail.Subject = "Active Directory Security Notification - Password Expiration Days Remaining " & "" & strDaysRemaing & "."
End If  
'*************************************************************************************************
'* Writing E-mail Body                                                                           *
'*************************************************************************************************
  Message = stradtMessage
      Message = Message + "<font face=" & Chr(34) & "Tahoma" & Chr(34) & "style="& Chr(34) &"font-size: 8pt" & Chr(34) & "color=" & Chr(34) & "#000000"& Chr(34) &"> "
  Message = Message + "<strong>Active Directory Security Notification</strong> - " & FormatDateTime(Now(), 1) & " " & FormatDateTime(Now(), 3) & "<br>" & "<br>" & "<br>"
         Message = Message + "<font face=" & Chr(34) & "Tahoma" & Chr(34) & "style="& Chr(34) &"font-size: 8pt" & Chr(34) & "color=" & Chr(34) & "#000000"& Chr(34) &"> "
         Message = Message + "User: <b>" & Ucase(SamAccountName) & " </b>Last Password Change: " & PassLastSet & "." & "<br>"
        If strSetChange = "False" and strDisable = "False" Then
  Message = Message + "Your Password will expire in : <font face=" & Chr(34) & "Tahoma" & Chr(34) & "style="& Chr(34) &"font-size: 8pt" & Chr(34) & "color=" & Chr(34) & "#FF0000"& Chr(34) &"> " & strDaysRemaing & " days." & "<br>" & "<br>" & "<br>"
  Else
  Message = Message + "<br><br>"  
  End IF
        Message = Message + "<font face=" & Chr(34) & "Tahoma" & Chr(34) & "style="& Chr(34) &"font-size: 8pt" & Chr(34) & "color=" & Chr(34) & "#000000"& Chr(34) &"> "
        Message = Message + "<HR WIDTH="       & Chr(34) & "100%" & Chr(34) & " SIZE=" & Chr(34) & "1" & Chr(34) & " ALIGN=" & Chr(34) & "Right" & Chr(34) & " COLOR=" & Chr(34) & "black" & Chr(34) & " NOSHADE=" & Chr(34) & "Noshade" & Chr(34) & "><BR>"
  Message = Message + "<u>Account information</u>" & "<br>"
        Message = Message + "User: <b>"  & DisplayName  & "</b><br>"
  Message = Message + "Description: <b>"  & description  & "</b><br>"
  Message = Message + "Email: <b>"  & EmailAddr  & "</b><br>"
        Message = Message + "UserDN: <b>"  & UserDN   & "</b><br>"
  Message = Message + "Logon Count: <b>"  & logonCount  & "</b><br>"
        Message = Message + "When Created: <b>"  & whenCreated  & "</b><br>"
        Message = Message + "When Changed: <b>"  & whenChanged  & "</b><br><br>"
        Message = Message + "<HR WIDTH="       & Chr(34) & "100%" & Chr(34) & " SIZE=" & Chr(34) & "1" & Chr(34) & " ALIGN=" & Chr(34) & "Right" & Chr(34) & " COLOR=" & Chr(34) & "Gray" & Chr(34) & " NOSHADE=" & Chr(34) & "Noshade" & Chr(34) & "><BR>"
        Message = Message + "<h6>Active Directory Global Team - Admin Password Expiration Script version 0.99</h6>" & "<br>" & "<br>"
        Message = Message + "<font face=" & Chr(34) & "Tahoma" & Chr(34) & "style="& Chr(34) &"font-size: 7pt" & Chr(34) & "color=" & Chr(34) & "#000000"& Chr(34) &"> "
  Message = Message + "<i><b>Password Control</b><br>"
  Message = Message + "Password Control Requirement: Passwords must be maintained and protected." & "<br>"
  Message = Message + "Standard: Password change interval should be 90 days or less for users, <b>30 days for administrators</b>."& "<br>" & "<br>"
  Message = Message + "More info: [link=http://intranet.yourcompany.com/ActiveDirectorySecurity/Passwords.aspx</i]http://intranet.yourcompa...y/Passwords.aspx</i[/link]>" & "<br>"
'*************************************************************************************************
'* Loading Information and Sending E-mail                                                        *
'*************************************************************************************************
  SMTPMail.To = EmailAddr & ", " & strRecipient
  SMTPMail.HTMLBody = Message
  SMTPMail.Configuration.Fields.Update
  SMTPMail.Send 
 
  End If 
End If
'*************************************************************************************************
'* If the AD enumeration runs into an OU object, call the Sub again to itinerate                 *
'*************************************************************************************************
  If objMember.Class = "organizationalUnit" or OBjMember.Class = "container" Then
      enumMembers (objMember)
  End If
Next
End Sub
set SMTPMail = Nothing
  
 '************************************************************************************************* 
     '* Set Admin Account to Expire                                                                   * 
     '* wrote by: Jeferson Propheta                                                                   * 
     '************************************************************************************************* 
     '* Last Update 09/02/2010 - Jeferson Propheta                                                    * 
     '************************************************************************************************* 
     '* Script Functions:                                                                             * 
     '*    - Retrive Users From LDAP Connection                                               * 
     '*    - Notify User for Expiration                                                       * 
     '*    - Set Account to Expire                                                            * 
     '*    - Disable Account                                                                  * 
     '************************************************************************************************* 
     'ON ERROR RESUME NEXT 
     Const ForWriting = 2 
     Const ADS_UF_ACCOUNTDISABLE = 2 
     '************************************************************************************************* 
     '* Distinguished Container Name                                                                  * 
     '************************************************************************************************* 
     strContainer   = "OU=Accounts,OU=AD Admins," 
     '************************************************************************************************* 
     '* Email Settings                                                                                * 
     '************************************************************************************************* 
     Set SMTPMail=CreateObject("CDO.Message") 
         SMTPMail.From    = "ActiveDirectorySecurityNotification@yourcompany.com" 
         SMTPMail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/sendusing")=2 
         SMTPMail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpserver")="smtpRelayServer.yourcompany.com" 
      SMTPMail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpserverport")=25 
      strAdminMail     = "Jeferson.Propheta@yourcompany.com, Scott.Mikesell@yourcompany.com" 
     '************************************************************************************************* 
     '* LDAP Connection Root plus Distinguished Container Name                                        * 
     '************************************************************************************************* 
     Set    objRoot = GetObject("LDAP://RootDSE") 
             strDNC = objRoot.Get("DefaultNamingContext") 
     Set  objDomain = GetObject("LDAP://" & strContainer & strDNC) 
     '************************************************************************************************* 
     '* Main Call                                                                                     * 
     '************************************************************************************************* 
     Call enummembers(objDomain) 
     '************************************************************************************************* 
     '* Function to Retreive users informations                                                       * 
     '************************************************************************************************* 
     Sub enumMembers(objDomain) 
     '************************************************************************************************* 
     '* Going Through the Collection                                                                  * 
     '************************************************************************************************* 
     For Each objMember In objDomain 
     '************************************************************************************************* 
     '* If not User object, move on                                                                   * 
     '************************************************************************************************* 
     If ObjMember.Class = "user" Then 
     '************************************************************************************************* 
     '* Users Information Collection                                                                  * 
     '************************************************************************************************* 
     SamAccountName  = ObjMember.samAccountName 
     DisplayName   = objMember.displayName 
     EmailAddr   = objMember.mail 
     UserDN    = objMember.distinguishedName 
     Office    = objMember.physicalDeliveryOfficeName 
     PassLastSet   = objMember.PasswordLastChanged 
     description   = objMember.description 
     whenCreated   = objMember.whenCreated 
     whenChanged   = objMember.whenChanged 
     logonCount   = objMember.logonCount 
     AccountisDisabled = objMember.AccountDisabled 
     strDaystoChange  = DateDiff("d", objMember.PasswordLastChanged,Now()) 
     strDaysRemaing  = DateDiff("d", strDaystoChange,30) '* -1 
     strSetChange  = "False" 
     strDisable   = "False" 
     stradtMessage  = "" 
     strRecipient  = "" '************************************************************************************************* 
     '* Conditions for Account Management and Notification                                            * 
     '*  Start Notification with 25 Days                          * 
     '*  Force Account to Change Password and Notify Admins with 30 Days         * 
     '*  Disable Account and Notify Both Admins and user's Manager with 40 Days       * 
     '************************************************************************************************* If strDaystoChange > "25" Then            Select Case strDaystoChange 
         Case "30" : 
           strSetChange   = "True" 
           strRecipient   = strAdminMail 
            
         Case "40" : 
           Set objUser         = GetObject ("LDAP://" & UserDN ) 
           On Error Resume Next 
           Set objUserManager  = GetObject ("LDAP://" & objUser.manager ) 
           ManagerMail    = objUserManager.mail 
           On Error Goto 0 
           strRecipient   = strAdminMail & ", " & ManagerMail 
           strDisable     = "True" 
            
        End Select           If strDaystoChange > "31" And strDaystoChange < "40" then 
          Set objUser         = GetObject ("LDAP://" & UserDN ) 
          On Error Resume Next 
          Set objUserManager  = GetObject ("LDAP://" & objUser.manager ) 
          ManagerMail    = objUserManager.mail 
          On Error Goto 0 
          strRecipient   = strAdminMail & ", " & ManagerMail 
           
        End IF '************************************************************************************************* 
     '* In Case Account Mail is Null Notify Admins                                                    * 
     '************************************************************************************************* 
       If EmailAddr = "" then 
          strRecipient   = strAdminMail 
       End IF 
     '************************************************************************************************* 
     '* Set Password to Expire and Build New Mail Body Message                                        * 
     '************************************************************************************************* 
       If strSetChange   = "True" then 
                stradtMessage  = "<font face=" & Chr(34) & "Tahoma" & Chr(34) & "style="& Chr(34) &"font-size: 8pt" & Chr(34) & "color=" & Chr(34) & "#FF0000"& Chr(34) &"> <h5><b>Your Account has been Set to Expire, please change you password</b></h5><br><br>"   
          Set objUser = GetObject ("LDAP://" & UserDN ) 
                    objUser.Put "pwdLastSet", 0 
                    objUser.SetInfo 
       End If 
     '************************************************************************************************* 
     '* Disable Account and Build New Mail Body Message                                               * 
     '************************************************************************************************* 
       If strDisable         = "True" then 
                stradtMessage      = "<font face=" & Chr(34) & "Tahoma" & Chr(34) & "style="& Chr(34) &"font-size: 8pt" & Chr(34) & "color=" & Chr(34) & "#FF0000"& Chr(34) &"> <h5><b>Your Account has been Disabled due password expiration, Please contact your Active Directory Administrator<h/5></b><br><br>"    Set objUser        = GetObject ("LDAP://" & UserDN ) 
                     intUAC = objUser.Get("userAccountControl") 
                objUser.Put "userAccountControl", intUAC OR ADS_UF_ACCOUNTDISABLE 
                objUser.wWWHomePage = "Disabled by Users Password Review - " & Now() 
                objUser.SetInfo 
        End IF  
     '************************************************************************************************* 
     '* Writing E-mail Subject                                                                        * 
     '************************************************************************************************* 
     If strSetChange = "True" then 
        SMTPMail.Subject = "Active Directory Security Notification - Account was set to Change Password" 
     ElseIF strDisable = "True" then  
        SMTPMail.Subject = "Active Directory Security Notification - Your OU Admin Account has been Disabled" 
     Else   
        SMTPMail.Subject = "Active Directory Security Notification - Password Expiration Days Remaining " & "" & strDaysRemaing & "." 
     End If   
     '************************************************************************************************* 
     '* Writing E-mail Body                                                                           * 
     '************************************************************************************************* 
       Message = stradtMessage 
           Message = Message + "<font face=" & Chr(34) & "Tahoma" & Chr(34) & "style="& Chr(34) &"font-size: 8pt" & Chr(34) & "color=" & Chr(34) & "#000000"& Chr(34) &"> " 
       Message = Message + "<strong>Active Directory Security Notification</strong> - " & FormatDateTime(Now(), 1) & " " & FormatDateTime(Now(), 3) & "<br>" & "<br>" & "<br>" 
              Message = Message + "<font face=" & Chr(34) & "Tahoma" & Chr(34) & "style="& Chr(34) &"font-size: 8pt" & Chr(34) & "color=" & Chr(34) & "#000000"& Chr(34) &"> " 
              Message = Message + "User: <b>" & Ucase(SamAccountName) & " </b>Last Password Change: " & PassLastSet & "." & "<br>" 
             If strSetChange = "False" and strDisable = "False" Then 
       Message = Message + "Your Password will expire in : <font face=" & Chr(34) & "Tahoma" & Chr(34) & "style="& Chr(34) &"font-size: 8pt" & Chr(34) & "color=" & Chr(34) & "#FF0000"& Chr(34) &"> " & strDaysRemaing & " days." & "<br>" & "<br>" & "<br>" 
       Else 
       Message = Message + "<br><br>"   
       End IF 
             Message = Message + "<font face=" & Chr(34) & "Tahoma" & Chr(34) & "style="& Chr(34) &"font-size: 8pt" & Chr(34) & "color=" & Chr(34) & "#000000"& Chr(34) &"> " 
             Message = Message + "<HR WIDTH="       & Chr(34) & "100%" & Chr(34) & " SIZE=" & Chr(34) & "1" & Chr(34) & " ALIGN=" & Chr(34) & "Right" & Chr(34) & " COLOR=" & Chr(34) & "black" & Chr(34) & " NOSHADE=" & Chr(34) & "Noshade" & Chr(34) & "><BR>" 
       Message = Message + "<u>Account information</u>" & "<br>" 
             Message = Message + "User: <b>"  & DisplayName  & "</b><br>" 
       Message = Message + "Description: <b>"  & description  & "</b><br>" 
       Message = Message + "Email: <b>"  & EmailAddr  & "</b><br>" 
             Message = Message + "UserDN: <b>"  & UserDN   & "</b><br>" 
       Message = Message + "Logon Count: <b>"  & logonCount  & "</b><br>" 
             Message = Message + "When Created: <b>"  & whenCreated  & "</b><br>" 
             Message = Message + "When Changed: <b>"  & whenChanged  & "</b><br><br>" 
             Message = Message + "<HR WIDTH="       & Chr(34) & "100%" & Chr(34) & " SIZE=" & Chr(34) & "1" & Chr(34) & " ALIGN=" & Chr(34) & "Right" & Chr(34) & " COLOR=" & Chr(34) & "Gray" & Chr(34) & " NOSHADE=" & Chr(34) & "Noshade" & Chr(34) & "><BR>" 
             Message = Message + "<h6>Active Directory Global Team - Admin Password Expiration Script version 0.99</h6>" & "<br>" & "<br>" 
             Message = Message + "<font face=" & Chr(34) & "Tahoma" & Chr(34) & "style="& Chr(34) &"font-size: 7pt" & Chr(34) & "color=" & Chr(34) & "#000000"& Chr(34) &"> " 
       Message = Message + "<i><b>Password Control</b><br>" 
       Message = Message + "Password Control Requirement: Passwords must be maintained and protected." & "<br>" 
       Message = Message + "Standard: Password change interval should be 90 days or less for users, <b>30 days for administrators</b>."& "<br>" & "<br>" 
       Message = Message + "More info: http://intranet.yourcompany.com/ActiveDirectorySecurity/Passwords.aspx</i>" & "<br>" 
     '************************************************************************************************* 
     '* Loading Information and Sending E-mail                                                        * 
     '************************************************************************************************* 
       SMTPMail.To = EmailAddr & ", " & strRecipient 
       SMTPMail.HTMLBody = Message 
       SMTPMail.Configuration.Fields.Update 
       SMTPMail.Send  
       
       End If  End If 
     '************************************************************************************************* 
     '* If the AD enumeration runs into an OU object, call the Sub again to itinerate                 * 
     '************************************************************************************************* 
       If objMember.Class = "organizationalUnit" or OBjMember.Class = "container" Then 
           enumMembers (objMember) 
       End If 
     Next 
     End Sub set SMTPMail = Nothing

<message edited by jeferson.propheta on Thursday, September 02, 2010 6:15 AM>
Wscript.Echo("Just4 Fun")
#1

    Online Bookmarks Sharing: Share/Bookmark

    Jump to:

    Current active users

    There are 0 members and 1 guests.

    Icon Legend and Permission

    • New Messages
    • No New Messages
    • Hot Topic w/ New Messages
    • Hot Topic w/o New Messages
    • Locked w/ New Messages
    • Locked w/o New Messages
    • Read Message
    • Post New Thread
    • Reply to message
    • Post New Poll
    • Submit Vote
    • Post reward post
    • Delete my own posts
    • Delete my own threads
    • Rate post

    2000-2012 ASPPlayground.NET Forum Version 3.8
    mbt shoes www.wileywilson.com