There are many ways to change passwords on a Windows Active Directory Domain. Users can change their own passwords on the workstation. However for Network administrators there are not any built-in tools for administrating other user network passwords, unless you Remote Desktop to the Domain Controller or have installed the local support tools for Active Directory.
Both RM Community Connect 3 and Viglen Classlink network management systems contain web based tools for managing network user passwords from any workstation on the network, without having to use the Active Directory tools on the Domain Controllers.
It is generally considered best practice to only perform maintenance at a Fileserver/Domain Controller when software, updates or new configurations are needed. Using the Fileserver/Domain Controller as a workstation is generally a bad idea. Giving direct access to the File Servers for lesser skilled technicians may present a security issue.
Whilst there are extensions available for Windows XP that bring the Active Directory tools to the Windows Desktop, installing these extensions is often overlooked. This is where third party tools like Password Control from WiseSoft.co.uk can really help School based Network Administrators.
The installer weighs in at tiny 1.5mb, once installed you will find a new icon on the Start Menu for the Password Control application. The application is quick to load and is quite intuitive to use. There is no setup required. Just Load, type a user name and press Enter.
The application has a built in searching function that allows the user to type in part of a user name, the application will then search for anything that matches. If the user name can be resolved, then the user details are displayed. Otherwise a list of matching usernames will then be displayed. The user then double clicks on the user account that needed the password changed.
You can set a new password either by typing a new password, or press the “G” button. Press the Change Password button to assign the new password to the user.
The application also has the ability to Enable/Disable a user account, as well as the ability to check and reset the Account Lockout status of the user account. Information presented about a user is taken directly from the Active Directory entry details. You could use some of the fields within Active Directory as a form of validation, so that perhaps students have to answer a security question or something.
Under the Application File Menu, there are a host of options that make this application an absolute must have for any network.
Connect As – If you use a restricted user account on your workstation, and then use this option to allow the application to make password changes using a privileged account.
Domain – Connect to different domains within the Active Directory Forest.
Search – The ability to search for a user account and display details about the account without using the facility to change the user’s password.
Settings – A host of options to set parameters such as Search Domains, Display Style, Displayed LDAP properties from the Users account and finally Password Generation Options that controls how an automatically generated password is created.
Bulk Password Control – Displays a dialog that allows you to browse the Active Directory Structure and select an Organisational Unit, so that bulk account changes can be made. This part of the tool allows changing of user passwords, enabling or disabling user accounts and allows exporting to CSV file for perhaps letters to new users detailing what their first passwords are.
Bulk Password Control
The Bulk Password Control portion of Password Control has a very powerful searching interface that allows the user to select network accounts based on a variety of options. You can choose accounts by;
Typing a List of User Accounts
Choosing a Security Group or Distribution Group from Active Directory. This option will also include users from Nested group memberships.
A particular Organisational Unit
Or if you are really brave you can type out your own LDAP query
Results from any of the searching methods are displayed on an easy to read form. As this is a bulk change tool, any actions that you undertake will be completed on all of the listed accounts.
Care is advised; choosing the wrong type of query could potentially reset the passwords of service accounts. A built in protection feature will prevent the inclusion of the Current User and the Administrator account.
Once you have made bulk changes, for example resetting the entire Year 7 user account passwords, you can export the results to either a CSV or TXT file so that you can manipulate in a mail merge operation for producing User Account Cards or as part of a computer usage agreement where logging onto the network with the random password acts as an acceptance of the school computer usage policy.
Overall I was very impressed with the ease of use and functionality of Password Control. I know from experience that programming with Active Directory is quite complex and time consuming. Password Control has clearly had a lot of thought and time invested into coding it and has been written with educational establishments in mind. This application has definitely found a place on my pen drive and will be recommending schools take a look at this application.
The application also has a built in expansion facility that will pass the currently selected user to a Visual Basic script. Functions such as Deleting an Account or perhaps adding additional information into an account can easily be performed by choosing a script from tools menu.
The software author has a number of sample Visual Basic Scripts that can easily be added to your Password Control installation. See http://www.wisesoft.co.uk/Products/PasswordControl/Help/ for further details.
Using Password Control is the ideal solution where there is a big IT department with many technicians. By using permissions and security groups on the Active Directory, Junior technicians or teachers could be given responsibility for password changes on specific Organisation Units of the Active Directory. Password Control is a lot simpler to understand and use than Active Directory.
Password Control is a free application written by a former school Network Technician and is available from http://wisesoft.co.uk/Products/PasswordControl/