perl script: How to reset user password in your Windows 2008 R2 or Windows 2012 R2 Active Directory connecting in secure LDAPs 636 port

This simple code was created so that it can be use to handover to helpdesk team to do a password reset of users every time they lock out or if their password expires.

Step 1: assuming you already installed the strawberry perl for windows and if your running OSX or Linux its already prebuild in it.

Copy this below scripts and paste it your favorite editor and save i.e:  changepass.pl

#!/usr/bin/perl 
# changing user passwords in Active directory
#
use strict;
use warnings;
use Net::LDAP;
# module needed to encode AD password
use Unicode::String qw(utf8);
use Unicode::String qw(utf16le);
#
# ARGV is username password
my $username = $ARGV[0];
my $passwd = $ARGV[1];
my $result;

my $adsvr='dev.twnlab.com';
my $adbinddn='cn=useradmin,ou=SERVICEDESK,ou=User,dc=dev,dc=twnlab,dc=com';
my $adpw='[email protected]';


# Connect to the AD server
my $ad=Net::LDAP->new($adsvr, version => 3, scheme => 'ldaps', port=>636,) or die "can't connect to $adsvr: [email protected]";
 
 
# Bind as Administrator
$result=$ad->bind($adbinddn, password=>$adpw);
if ($result->code) {
 LDAPerror ("binding",$result);
 exit 1;
};

$result = $ad->search(
 base => "OU=ENGR,OU=User,DC=dev,DC=twnlab,DC=com",
 filter => "(samAccountName=$username)",
 attrs => ['distinguishedName']
 );
$result->code && die $result->error;
if ($result->entries != 1 ) { die "ERROR: User not found in AD: $username" };
 
my $entry = $result->entry(0); # there can be only one
my $dn = $entry->get_value('distinguishedName');
 
my $unicodePwd = utf8(chr(34).${passwd}.chr(34))->utf16le();
 
# change password entries.
$result = $ad->modify($dn, replace => { "unicodePwd" => $unicodePwd,});
# enable the users that are disabled
$result = $ad->modify($dn, replace => {"userAccountControl" => '512' });
 
$result->code && die $result->error;
print "AD : SUCCESS: ${username} password changed windows 2012";
 
$ad->unbind();

Step 2: Run this in your command prompt

passwordreset.pl user1 [email protected]

Step 3: After you finish running this command you will notice this in your event logs if you have successfully change the user1 password and look for “Password Last Set” if it was updated with the latest timing as shown in image below.

 

Done. However if you having issue or not seeing this event log probably its due to the reason that your not running secured connection in LDAPs port 636 and you may want to follow this How to create SSL certificate in Windows Server.

After  you finishing configuring your Active Directory to have the new SSL certificate you want want to try to verify by running this simple tool. Type in your window “Run”

ldp.exe

and click “Connection -> Connect”

Type your Active Directory server and enable SSL using port 636 as shown below

and if there’s no error it will be look like this below image.

 

Done. However if you encounter error when connecting to secure LDAP probably your server dont have local certificate in it. you can refer to my other post here.

Leave a comment

Your email address will not be published.