Problem Description:
Echo problems due to the development of automated password reset your password will result in a default or explicitly recorded in the user domain userpassword field, high risk security risks.
Environmental Information:
Windows Server 2008R2/2012R2/2016 ActiveDirectory
Symptoms:
Cause Analysis:
Since the code domain tube design students and students of communication problems failed to properly sort codes and domain password change logic;
Safety mentioned measuring process only involves business security scanning, measurement is not performed like the code extract content and background safety hazards;
Solving steps:
1. Filter Present plaintext password field of the user information to the present embodiment xiaowen account reproducibility Example:
Get-ADUser -Identity xiaowen -Properties * |select CN,Company,Department,Description,DisplayName,DistinguishedName,EmailAddress,EmployeeID,EmployeeNumber,mail,Manager,Name,sn,StreetAddress,Title,userPassword,UserPrincipalName
2. relates generally to the field sensitive account information field, we will operate as characters and the like by emptying the contents of the other or alternatively sensitive fields;
In this example we use the conventional method assigned to plenty of error, filled with spaces or other values can be achieved; content and we want to achieve is still a difference.
Eg: to update the company the company fields in brief :( attached: The method of two alternative values :)
Assignment is empty:
Get-ADUser -Identity xiaowen |Set-ADUser -Company ""
Get-ADUser -Identity xiaowen |Set-ADUser -Replace @{Company=""}
Filled with spaces or other characters:
Get-ADUser -Identity xiaowen |Set-ADUser -Company " "
Get-ADUser -Identity xiaowen |Set-ADUser -Replace @{Company="1"}
3. can not be achieved by operating a direct assignment, here referenced write-host method attempts to find some fields support null value domain environment Alternatively, as follows:
$company = Write-Host ""
Get-ADUser -Identity xiaowen |Set-ADUser -Company $company
4.同样的方法我们引用到本章节替换明文密码字段,发现为空不行,只能替换成空格或者其他字节信息,如下:
5.通过上边测试的方法我们发现始终实现不了密码字段清空的操作,最终只能变换操作方法,终于功夫不负有心人,通过-clear完成清理操作,如下:
Get-ADUser -Identity xiaowen -Properties * |select Samaccountname,name,userPassword
Get-ADUser -Identity xiaowen -Properties * |Set-ADUser -Clear userpassword
6.在测试过程中我们发现,通过-clear可以快速清空用户自完善或者非系统属性信息。
PS.Set-ADUser ** -clear unable to clean up the system comes with the property or properties must be a domain account.
Attachment: Quick clean up the list of user information in plain text password fields script:
Import-Csv C:\user.csv | ForEach-Object { Set-ADUser -Identity $_.SamAccountName -Clear userpassword }
Welcome attention to micro-channel public number: Brits Yanxishe