-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathusermgmt.ps1
99 lines (92 loc) · 3.71 KB
/
usermgmt.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
param(
[Parameter()]
[String]$filepath
)
try {
[string[]]$AllowUsers = Get-Content $filepath
} catch {
Write-Host "[ERROR] Unable to get list of users"
exit 1
}
$DC = $false
if (Get-CimInstance -Class Win32_OperatingSystem -Filter 'ProductType = "2"') {
$DC = $true
Write-Host "[INFO] Domain Controller Detected"
}
Function Set-krbtgt-Password([bool] $IsDC) {
Clear-Host
if ($IsDC) {
# insert code to flick krbtgt password here
} else {
Write-Host "[ERROR] Computer is not a domain controller"
exit
}
}
Function Set-Password([string]$UserName, [bool]$IsDC) {
Clear-Host
$Password = Read-Host -AsSecureString "Password"
$Password2 = Read-Host -AsSecureString "Confirm Password"
$pwd1_text = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($Password))
$pwd2_text = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($Password2))
if ($pwd1_text -cne $pwd2_text) {
Write-Host "[ERROR] Passwords don't match"
exit
} else {
if ($IsDC) {
Set-ADAccountPassword -Identity $UserName -NewPassword $Password
Write-Host "[INFO] Password set for" $UserName
} else {
Set-LocalUser -Name $UserName -Password $Password
Write-Host "[INFO] Password set for" $UserName
}
}
}
Function Set-UserProperties([string[]]$UserList, [bool]$IsDC) {
if ($IsDC) {
$DomainUsers = Get-ADUser -filter *
foreach ($DomainUser in $DomainUsers) {
if ($DomainUser.Name -in $UserList) {
# Enable-ADAccount -Name $DomainUser.Name
$DomainUser | Set-ADUser -AllowReversiblePasswordEncryption $false -ChangePasswordAtLogon $false -KerberosEncryptionType AES128,AES256 -PasswordNeverExpires $false -UserMayChangePassword $false -PasswordNotRequired $false -AccountNotDelegated $true
# $DomainUser | Set-ADAccountControl -DoesNotRequirePreAuth $false
Disable-ADAccount -Name $DomainUser.Name
Write-Host "[INFO]" $DomainUser.Name "disabled"
} else {
# Write-Host "[INFO]" $DomainUser.Name "disabled"
}
}
} else {
$LocalUsers = Get-WmiObject -Class Win32_UserAccount -Filter "LocalAccount='True' and name!='$Env:Username'"
foreach ($LocalUser in $LocalUsers) {
if ($LocalUser.Name -in $UserList) {
# Enable-LocalUser -Name $LocalUser.Name
$LocalUser | Set-LocalUser -PasswordNeverExpires $false -UserMayChangePassword $true -AccountNeverExpires
Disable-LocalUser -Name $LocalUser.Name
Write-Host "[INFO]" $LocalUser.Name "disabled"
} else {
# Write-Host "[INFO]" $LocalUser.Name "disabled"
}
}
}
}
while ($true) {
Write-Host "Options:"
Write-Host "1. Change passwords for all users in list"
Write-Host "2. Change password for current user"
Write-Host "3. Disable all users in list and apply proper user properties"
Write-Host "4. Exit"
$option = Read-Host "Enter an option"
if ($option -eq '1') {
foreach ($user in $AllowUsers) {
Set-Password -UserName $user -IsDC $DC
}
} elseif ($option -eq '2') {
Set-Password -UserName $Env:UserName -IsDC $DC
} elseif ($option -eq '3') {
Set-UserProperties -UserList $AllowUsers -IsDC $DC
} elseif ($option -eq '4') {
exit 0
} else {
Write-Host "Invalid option, try again"
}
}