Users changing their AD details

elrasho · 28 May 2012 at 15:48

I'm looking for some software that will allow users to be able to change their Active Directories details such as telephone number, name, office etc.. I've found this:
http://www.ithicos.com/active-directory-tools/web-self-service-updates/directory-update.aspx

but would prefer something by Microsoft and cheaper.

Has anyone used or know of such a tool?

Sin_Chase · 28 May 2012 at 15:58

Write your own?

elrasho · 28 May 2012 at 16:02

Please elaborate, writing my own would give me major kudos amongst my peers

Showboat · 28 May 2012 at 16:05

Check this out £350 a year. You will never have to reset another password and they can update some of the personal info themselves.
You can get a free 30 day trial and you can have it up and running in an hour.

http://www.manageengine.com/products/self-service-password/self-service-password-reset.html

elrasho · 28 May 2012 at 16:07

Thanks but I don't want them to be able to reset your passwords just yet. The first phase is for them to be able to change things like their name, telephone number, office etc...

I'm looking into writing my own program thanks to Sin__Chase

elrasho · 28 May 2012 at 16:22

Done some googling and I guess I have to write the program in .Net..... I know NO .Net

How easy would it be for me to pickup the pieces I need just for this little project?

aln · 28 May 2012 at 19:11

elrasho said:
Done some googling and I guess I have to write the program in .Net..... I know NO .Net

How easy would it be for me to pickup the pieces I need just for this little project?

Depends if you can program at all, or not. All in all, without a great deal of experience with either AD or .Net, I'd say it's fairly trivial code.

anything I don't mind · 28 May 2012 at 19:28

Use the microsoft delegation wizard (name might not be exactly correct) If you right click in active directory on the top node you can choose it from there. You can give users permission to reset passwords only etc. I used it before and it was effective.

Then you just need to install the remote administation tools for the client operating system and then go to add remove windows components in programs and features and add the active directory to admin tools, then create shortcut to it.

Sin_Chase · 28 May 2012 at 20:03

elrasho said:
Done some googling and I guess I have to write the program in .Net..... I know NO .Net

How easy would it be for me to pickup the pieces I need just for this little project?

Not hard.

You could script this in many languages. Hell, you could do it with notepad and VBscript.

Your best bet is to code a small application that writes CSV data with the information you need. Collate it all then run your own master script from that data against AD to perform the update yourself. Do not expose AD to users in any form or function unless it's something like delegation mentioned above and you FULLY test it in your environment first.

VBscript could very easily execute a GUI form. User fills in data, hits submit, data is sent to a database/csv file/other location, you collate that data, run your master ActiveDirectory script and job done.

I would do something along these lines

DN / Distinguished Name - Pulled directly from logged in session, this is your unique identifier of the user object. Verify with user that this is correct, if yes move on. Use the DN to query against LDAP (Read only required, any user should be able to do this). Pull out all fields you want to update and populate the form with existing AD data, nobody wants to update data that already exists and you do not want to overwrite data with NULL values.

Now you have your user (DN) and the pre-populated update-able fields. Have user input any updates such as:

Address
Telephone
Office
etc
etc

Submit changes would output the following CSV data. Ensure you have some validation code to strip out any nasty special characters...like " for example.
DN,Address,Telephone,Office
/DC=COM/DC=domain/CN=Users/CN=Joe Bloggs, My New Address, 11111 222222, Space

What do you use for this data collection? Hell, 100s of ways. HTML Application with a small SQL/file based backend (.hta), VBScript, .NET you could do it in any language you feel comfortable with that is easily deployable in your environment really.

You collate this csv data however you wish, into 1 file with tools/code/excel, write your master update script to step through all individual text files submitted....world is your oyster here.

Your master script reads your nice CSV data and appends it to Active Directory.

Buyer beware though, this is your AD. Make sure you scrub up on scripting Active Directory (1000000000s of resources online available for this). You can do whatever you want with data collection, it's only collecting data. Make sure you test, test and test again your AD script though. Test test test and test ANYTHING you decide on, be it home brew, bought software or Microsoft tools.

jake108 · 28 May 2012 at 20:20

Can't users already do this in search > users and computers > domain (rather than computer) > type in username > select own username (Windows XP). They can edit their telephone number, floor here in AD 2003 with exchange 2007 enabled schema. Must be our settings.

SoundsGood · 28 May 2012 at 21:39

I made something similar in PowerShell & AD delegation of duties so managers could reset their teams passwords. It may help you I don't know

cls
[console]::ResetColor()
$date = Get-Date
$window = (Get-Host).UI.RawUI
$window.WindowTitle = "Password Reset Script v1 $date"

$currUser = [Environment]::UserName
$currMachine = [Environment]::MachineName
Write-Host ":: Password Reset Script v1 ::"
Write-Host "Running as: $currUser on $currMachine"
Write-Host "--------------------------------------------"
$user = Read-Host "`nEnter the username you wish to reset"
$password = Read-Host -assecurestring "`nEnter new password"
$password2 = Read-Host -assecurestring "Enter new password again to confirm"

$tmpPassword = [Runtime.InteropServices.Marshal]:trToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($password))
$tmpPassword2 = [Runtime.InteropServices.Marshal]:trToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($password2))

if ($tmpPassword -ne $tmpPassword2)
{
[console]::ForegroundColor = "RED"
Write-Host "`nPasswords do not match!`n"
[console]::ResetColor()
return
}
else
{
[console]::ForegroundColor = "YELLOW"
$confirm = Read-Host "`nPress 'Y' to confirm or 'N' to exit"
[console]::ResetColor()
if ($confirm -eq "Y" -or $confirm -eq "y")
{
try
{
Import-Module ActiveDirectory
Set-ADAccountPassword -Identity $user -NewPassword $password -Reset
[console]::ForegroundColor = "GREEN"
write-host "`nPassword change successful!`n"
[console]::ResetColor()
}
catch
{
[console]::ForegroundColor = "RED"
Write-Host "`nPassword change failed. Check username is correct`n"
[console]::ResetColor()
}
}
else
{
[console]::ForegroundColor = "RED"
Write-Host "`nAborted!`n"
[console]::ResetColor()
return
}
}

PAz · 28 May 2012 at 22:50

Quest do a nice tool that bolts onto ARS but obviously costs factors in.

Depends on the number of users you have I guess - if its not many writing your own would definitely be most suitable (unless you have massive budget

).