Trying to use for Password Resets

So, i am working on getting this setup to handle Password resets so that my Teachers can reset student passwords instead of having to try and get a hold of one of the IT team.

I first started with this code segment for the button:

https://hastebin.com/nomoputuji.php

And it did 2 things of note:

It successfully reset the password and triggered the Change password at next logon

However, the catch still triggered and gave a result of “Fail”, which I think is from the unlock account, but i am not entirely sure.

So, in an attempt to implement logging, i added a log file in the wwwroot folder, verified permissions and came up with this:

https://hastebin.com/girobesesu.php

However now, I get 0 results, and nothing happens and i am really not sure where i have gone wrong…

Thanks for the help!

So, i managed to make some progress!

I found out why i was getting a failure and fixed that.

And apparently Add-Content was causing a problem as well and was causing the script not to process. So now i am wondering what the best option for logging these resets would be.

Hey jacob

First, I can’t comment on your issue specifically, but the UD Marketplace has a “Active Directory” Dashboard which includes a Password reset function. - Maybe you can use it for inspiration?


(The password reset part is stored in the “Objects.ps1” file in the Pages folder)

Second, you’ll also need to either confirm that the password meets complexity, or handle the error so the teacher will know that reset failed and why (I thing the example in the AD dashboard linked above has that covered by catching and returning the exception)

Third, please make sure you “cover your ass” as having “Users” reset the passwords of other “Users” can open a whole lot of issues. Especially since the Teacher now knows the password, and can potentially access students accounts.
I know our Audits would woop our asses if we build something like that.

Yeah, i managed to get the reset function working. (turns out the fail was coming from a permission i didn’t delegate.)

But i am still kinda stuck on how to implement logging. In the second link above i show what i did, but the Add-Content cmdlet caused the whole thing to stop working.

I can’t see where you define the $logfile path. The code seems ok. Maybe it can’t find the path?

Sorry about that, I was using:

$logfile = “C:\scripts\log.log”

I’ve also tried C:\inetpub\wwwroot\log.log

Thank you!

EDIT: Also just tried $logfile = “log.log”

I am also working on a self service password reset tool that our internal employees can use to reset their passwords. I am struggling on the authentication piece to AD, I need to run the get-aduser, set-adaccountpassword, and set-aduser commands as a service account, preferably a gMSA account if possible. I was able to easily accomplish this use WebJEA but would also like to get this running with poshUD as I prefer the customization that is possible.

Anyone with ideas on how to get AD commands to run with a gMSA or old fashioned service account without prompting for creds?

I accomplished this by setting the Application Pool to run as a domain account with the permissions delegated to perform the reset steps

Hope this helps you!

.

Thanks Jacob. I ended up getting it to work with the app pool method. Also found a syntax issue on my side that was causing some pain.