[BlueBerry2007]

I'm tasked with unlocking and resetting Windows domain users password, even after hours--first tier support aren't allowed to do.

Since there are really no open source tools and the ones available are expensive (and I don't see our company buying them) what are your thoughts on this ...

Set up IIS web server on my XP workstation.
Create a web interface (cgi, asp, whatever) that runs a script.
The script runs the command line "net user"

The web interface will work accordingly with the "net user" command.

And I access that web interface via Blackberry Browser (MDS, it's secure right?)

Thoughts???

[DavidAdams]

Not sure it's what you want but I have a wee Visual Basic program that scans the AD and lists any account it finds where "IsAccountLocked = True". It then displays them in a list box, each can be selected and a button clicked to unlock the account. Think I have a version which sends an email for each unlocked account if I can find it.

Anyone wants the VB please ask.

Edit
It doesn't reset passwords though it could probably be tweaked to reset it to a default one and also set the password to be changed on next login.

[s10xtremenlow]

BlueBerry, I have also thought about the same, but our web programmer isn't here anymore :(

I wanted to allow unlocking as well as resetting password for AD, and logging off a terminal service account (which can be done with command line).

[s10xtremenlow]

If you know how to do the web programming, i may be able to get you all the commands...

[BlueBerry2007]

Thanks for your responses. I'm good with the programming for front and back end. Just wanted to see if anybody has done this and get their thoughts.

My main concerns are,

Security:

Security to the web interface (i.e., via htaccess or some other method). I don't know what's available on IIS. I know with Apache you can do htaccess. I need to make sure that only I can access, instead of some rogue person/program who'll starting reseting passwords.

Encrypt communcation between the web interface and the backend (i.e., https, which I don't know how to setup).

Need to verify/confirm that MDS is indeed internal only, that's what reading/research is leading me to believe.

Interface:

Input fields will only be for username and password. I'd be typing from a blackberry, so need to keep this simple.

Another thought, I may just have only a username field (and have the backend script reset to the same password everytime). The backend script will decide whether it needs to unlock the account or not. Or, it'll just go ahead and attempt everytime. So nothing to input on the interface as far as unlocking.

Backend:

Will the backend script run the "net user" command as me, since it's my PC. I'm authorized to reset password but probably not the "system" account or whatever account the script would run as. I'm not too familiar with IIS backend.

[qc_metal]

You should really be doing this with ASP and javascript or vbscript code on the server-side.

Do a lookup on Google for vbscript reset password, etc. - you should be able to pass form data to your page and reset them with little trouble.

Heck, there's probably already a page out there that someone has already put together for this very purpose.

[qc_metal]

Here's something. Perhaps you can modify this page...

Simple ASP page to reset passwords [windows] [password] [asp]

[kjarrodc]

My two cents:

I think your initial idea would work perfectly. Run a web site on iis on your xp workstation and you can enable https without an ssl cert. Run asp.net and avoid any client side code (like javascript.) Personally, I'd avoid running the command lines from any asp.net code. It is possible, but I'm sure the .net framework has a set of classes to deal with this specifically. Also, the frame work could let you search active directory for accounts that have been locked out - Like DavidAdams suggested. You could use visual web developer express IDE (as you may know is free). Also, you can configure asp.net to recognize the blackberry browser so that the asp.net engine will deliver optimized code to the browser. There is a good resource for asp.net / blackberry browser development: BlackBerry - Resource for Microsoft .Net Developers

As far as security is concerned, you don't have to worry about anything. This is of course is the case IF your computer and BES is behind a firewall. MDS access to and from the blackberry is secure, and if you enable https from your site, MDS to your site will be secured. As an additional measure, you could enable basic authentication in IIS (Don't use integrated authentication). This would make you type in your domain credentials when you go to the page. Also, you may notice that 'basic authentication' sends information in plain text, but you wont have to worry about this if your using https. And as another additional measure, you could make the web page require a separate password when you use any of the commands on it.

Hope this helps...

[s10xtremenlow]

Quote:

Originally Posted by kjarrodc

My two cents:

As far as security is concerned, you don't have to worry about anything. This is of course is the case IF your computer and BES is behind a firewall. MDS access to and from the blackberry is secure, and if you enable https from your site, MDS to your site will be secured. As an additional measure, you could enable basic authentication in IIS (Don't use integrated authentication). This would make you type in your domain credentials when you go to the page. Also, you may notice that 'basic authentication' sends information in plain text, but you wont have to worry about this if your using https. And as another additional measure, you could make the web page require a separate password when you use any of the commands on it.

Hope this helps...

I agree, disable integrated authentication, use domain credentials and u'll be good to go. You can also lock IIS down by IP address so only the BES server can access the web pages as well.

You can use a number of way to query AD for any locked out accounts and display them, you can then choose a user and reset the pw to a predetermined password. You may also want a function to search a user and reset there password in case they forgot it, but haven't locked themselves out.

If you get all that working, can you make something for terminal services. qwinsta/rwinsta to display and disconnect TS sessions? please
Managing Terminal Services Sessions Remotely - Scott Forsyth's Blog

[s10xtremenlow]

Any headway?

[s10xtremenlow]

beuller?

[s10xtremenlow]

Anyone?

[jgudnas]

forsure put a password on your web page.

always keep in mind if you can access the web page from your BB via your BES, so can ANYONE else who is on you BES.. they use the same path..

[s10xtremenlow]

has anyone built it yet though?

[s10xtremenlow]

dfgdfg