Please start any new threads on our new site at https://forums.sqlteam.com. We've got lots of great SQL Server experts to answer whatever question you can come up with.

 All Forums
 General SQL Server Forums
 New to SQL Server Administration
 Can SQL change AD account states?

Author  Topic 

student_4187
Starting Member

4 Posts

Posted - 2014-11-30 : 22:35:55
Hello,

I've done a fair amount of googling on this but couldn't find a clear answer. I know that Microsoft products generally interface well with each other (SharePoint, Windows server, etc).

Can an SQL script or an SSIS package unlock an active directory account and/or reset an Active Directory password? Where I work we have a power shell script that runs and shows which AD accounts are locked out.

A method of unlocking AD accounts and/or reseting their passwords is wanted.

Preferable via an IVR i.e. user calls in, user provides employee # (via phone input) IVR writes to SQL table, SQL checks to make sure employee number matches employee ID, if so, account is then unlocked. Or password is reset.

Can an SQL script interact with AD and unlock an account? Or reset a AD password?

My idea of how to do this is triggers based on values in the same row as the employee id and employee number. For example, perhaps if Account Locked column is 1, and value entered as emp ID matches for AD user name, then trigger an SSIS package to run a powershell script and unlock the account.

Use case: offsite user can't connect to domain as user is locked out, and/or doesn't remember password.

Ive worked with IVR systems which interact directly with SQL tables based on what happens during a given call so I know that part of this is possible.

Summary: is there a way via SQL script to change the state of an active directory account? If not, is there a way via powershell scripting, via an SSIS package, to unlock certain accounts, reset AD passwords, etc. ?

Thanks for your help. :)

gbritton
Master Smack Fu Yak Hacker

2780 Posts

Posted - 2014-12-01 : 09:08:19
You could do it in SSIS with a script task that calls the relevant API. Similarly in SQL you could write a CLR component to do the same thing and call it as a SQL function. However there are no out-of-the box tools in SQL to do that. Nor are there any out-of-the box tools for AD to unlock a SQL Server (not windows) login.
Go to Top of Page

jeffw8713
Aged Yak Warrior

819 Posts

Posted - 2014-12-01 : 14:12:47
If you already have a powershell script to show locked accounts - you can easily adapt what is found in that script to do what you want. From an IVR perspective, it would call your powershell script with the appropriate parameters and the script would then access the database and validate the user information - if correct the script then calls the appropriate AD commands to reset the password or unlock the account.
Go to Top of Page
   

- Advertisement -