I often work in hybrid environments with lots of Linux/UNIX servers to do heavy lifting and a large Windows domain for workstations, directory services, and Exchange. Interoperability between the environments is important, and there is the occasional need for a web application or script that can change a user’s AD password. Here’s a breakdown of a rough script that does just that.
The script takes the following approach:
- Accept inputs from the command line (this is a rough script – no fancy usage flags or getopt argument parsing).
- Bind to the directory.
- Search for the user, confirm only one account matching the constraints exists, and pull the DN attribute.
- Create a double quoted unicode version of the passwords (Active Directory requires this for the account’s current and new passwords).
- Delete, then Add the unicodePwd attribute from the account. This is must be done in a single LDAP modify operation.
In the form of the script below, a user can change their own AD password, but a privileged account (such as a domain admin) cannot. Users change their own password with a delete, followed by an add. Admins change passwords with an LDAP replace. Uncomment the appropriate line in the script to adjust the functionality. Read on for the full script.