Active Directory Service Interfaces
Throughout the past 2 years, Windows Scripting Solutions (formerly Win32 Scripting Journal) has presented articles about how to use Active Directory Service Interfaces (ADSI) in scripts to manage most elements of Windows 2000 and Windows NT enterprise administration. With these basic elements mastered, you now have the foundation to use ADSI and your favorite scripting language to create robust administrative applications.
In this column, I'll show you how to build on the techniques you've learned (and show you some new ones) so that you can create scripts that solve particularly difficult problems administrators face regularly. This month, I show you how to use ADSI and VBScript to tackle two password-related tasks: finding and removing unused machine accounts in a domain and changing the local Administrator account password on workstations and member servers.
Finding and removing unused machine accounts. When it comes to namespace housekeeping, most enterprises do a great job keeping user accounts current and accurate because of the risks associated with failing to do so. However, the same can't always be said for machine accounts. Although these accounts don't pose any significant risk to an enterprise's security, keeping the SAM up-to-date is important. You can often decrease the amount of time it takes to run scripts by simply reducing the number of invalid machine accounts in the SAM, especially if those scripts use enumeration functions at the domain level.
Changing the local Administrator account passwords. The biggest problem with changing the local Administrator account password is the sheer number of machines on which you need to change it. Because this tedious task is time-consuming, often the same password that was assigned to the Administrator account when the machine was built remains for the life of that build. Worse yet, many enterprises use a single password for the Administrator account on all machines. This practice yields a tremendous security risk because someone just needs to compromise one machine's account database to obtain unauthorized, untraceable access to all workstations and member servers. In addition, regularly checking and changing passwords can flag instances in which central administrators unknowingly lose their access to a machine because someone modified the Administrators or Users group membership.
To solve both problems simultaneously, you can write a script that will
- Enumerate all domains in an enterprise
- Enumerate all machine accounts in each domain
- Identify inactive machine accounts (i.e., accounts that have been off the network for the past 180 days)
- Change the Administrator account password on each remaining machine to a random value
- Report results back to a text file, ODBC data source, or Microsoft Excel workbook
Enumerating All Domains
To enumerate all domains in the enterprise, you bind to the ADSI service provider and step through the returned collection, as Listing 1 shows. When you run this code, it returns a list specifying all the domains in the WinNT: namespace. If you want to add to the enumeration's effectiveness, you can use additional For Each...Next statements within the enumeration to return a list of every computer in each domain, as the next section shows.