Changing users' passwords in Active Directory 2016, from anywhere

2016-01-04 09:28:00

As part of an ongoing research project I'm working on, I've had the need to update an end-users' password in Microsoft's Active Directory. Not from Windows, not through "ADUC" (AD Users and Computers), but from literally anywhere. Thankfully I stumbled upon this very handy lesson from the University of Birmingham. 

I've tweaked their exemplary script a little bit, which results in the script shown at the bottom of this post. Using said script as a proof of concept I was able to show that the old-fashioned way of using LDAP to update a user's password in AD will still work on Windows Server 2016 (as that's the target server I run AD on). 

 

Called as follows:

$ php encodePwd.php user='Pippi Langstrumpf' newpw=Bora38Sr > Pippi.ldif

Resulting LDIF file:

$ cat Pippi.ldif 
dn: CN=Pippi Langstrumpf,CN=Users,DC=broehaha,DC=nl
changetype: modify
replace: unicodePwd
unicodePwd:: IgBOAG8AggBhQDMAOQBGAHIAIgA=

Imported as follows:

$ ldapmodify -f Pippi.ldif -H ldaps://win2016.broehaha.nl -D 'CN=Administrator,CN=Users,DC=broehaha,DC=nl' -W
Enter LDAP Password: 
modifying entry "CN=Pippi Langstrumpf,CN=Users,DC=broehaha,DC=nl"

Once the ldapmodify has completed, I can login to my Windows Server 2016 host with Pippi's newly set password "Bora38Sr".

 



<?php

function EncodePwd($pw) {
  $newpw = '';
  $pw = "\"" . $pw . "\"";
  $len = strlen($pw);
  for ($i = 0; $i < $len; $i++)
      $newpw .= "{$pw{$i}}\000";
  $newpw = base64_encode($newpw);
  return $newpw;
}

 if($argc > 1) {
	foreach($argv as $arg)  {
	list($argname, $argval) = split("=",$arg);
	$$argname = $argval;
	}
  }

  $userdn = 'CN='.$user.',CN=Users,DC=broehaha,DC=nl';

  $newpw64 = EncodePwd($newpw);

  $ldif=<<<EOT
dn: $userdn
changetype: modify
replace: unicodePwd
unicodePwd:: $newpw64
EOT;

  print_r($ldif);

?>

kilala.nl tags: , ,

View or add comments (curr. 0)