You can do this via ADSI by passing alternate credentials
my $objConn = Win32::OLE->CreateObject("ADODB.Connection");
$objConn->{Provider} = "ADsDSOObject";
$objConn->Properties->{'User ID'} = $user;
$objConn->Properties->{'Password'} = $pwd;
$objConn->Open("Active Directory Provider");
my $objComm = Win32::OLE->CreateObject("ADODB.Command");
$objComm->{ActiveConnection} = $objConn;
$objComm->{Properties}{"Page Size"} = 1000;
$objComm->{CommandText} = "<LDAP:{yada, yada, yada}";
my $objRS = $objComm->Execute();
$objRS->MoveFirst;
...
If you want to do this from a non-windows platform, you will need to use
Net::LDAP. Be forewarned that AD requires a secure LDAP connection to
change passwords of users.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Monday, July 10, 2006 4:57 PM
To: activeperl@listserv.ActiveState.com
Subject: Password Reset in Active Directory via a Web form
PROBLEM:
I would like to create a Web form that "resets" a user's lost password in
one of our walled-off domains, which uses Active Directory in native mode.
Since the user does not have their old password, the
Win32::NetAdmin::UserChangePassword /
Win32::AdminMisc::UserChangePassword
(Chapter 3, page 122 in the Roth book I have) functions are not an option.
Clearly, Win32::AdminMisc::SetPassword is preferred.
So, how do I get my Web form to "elevate privileges" to run under an
administrative account I designate? I obviously don't want IIS running
under an admin account all the time. What functions should I use to
accomplish this? Is this what Win32::AdminMisc::LogonAsuser is for, or am
I mistaken? (Chapter 9, page 450 in the Roth book)
Other question: Must IIS be running on the domain controller for the
domain in question, or can this be done from any Web server joined to the
domain in question?
PROBLEM CONSTRAINTS:
I would like to use Win32 or ADSI.
It appears that the domain is using the whole Active Directory/LDAP thing.
I've had just a smidgen of experience with LDAP, none with Active
Directory. Will the Win32 module even work with these?
BONUSES:
It would be even better if I could control all of this from an
Apache/Solaris box, so I don't have to worry about asking them to put IIS
(even locked down by a firewall) on my DC or any other box in the domain.
Does anyone have a good Perl ADSI book to recommend?
Has anyone already written a script that is similar?
ASSORTED VISUAL BASIC FUNCTIONS AND THEIR PERL ANALOGUES:
Get the user object via LDAP
VB:
GetObject("LDAP://cn=aaaa,ou=bbbb,dc=somesubdomain,dc=company,dc=com");
Disable an account
VB: objUser.AccountDisabled = True
Perl: "UF_ACCOUNTDISABLE" (page 108 of the Roth Win32 book)
Enable an account
VB: objUser.AccountDisabled = False
Perl: "UF_ACCOUNTDISABLE" (page 108 of the Roth Win32 book)
Change a password
VB: objUser.SetPassword "Something"
Win32::AdminMisc::SetPassword (page 122 of the Roth Win32 book)
Miscellaneous
VB: objUser.pwdLastSet = 0
VB: objUser.lockoutTime = 0
------------------------------------------------------
Any tips would be appreciated. I might not even be in the right Perl
mailing list for this!
Thanks,
Ian
_______________________________________________
ActivePerl mailing list
ActivePerl@listserv.ActiveState.com
To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs
------------------------------------------------------
How hard is the secure LDAP connection for Active Directory to set up?
Also, the person who handed me these scripts thinks that you don't need
the old password to change a user's password, with the VBScript. I don't
think that is right, as, if it were correct, you'd be able to take over an
entire domain with just one script from any box in that domain with logon
privileges. Am I right?
_______________________________________________
ActivePerl mailing list
ActivePerl@listserv.ActiveState.com
To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs
