powershell script via Citrix

What i am attempting to accomplish is a simple script that i can deploy via citrix for users to reset their password. I have gotten so far but now need some help.
To avoid sending passwords my script just asks the user if they’d like to reset their password. If they choose YES then it sets the AD attribute “user must change password at next logon” to true. The script then directs them to close their Citrix session and log on again, which will then prompt them to change their password.
My issue is when testing this with a regular user account they do not have access to Active Directory to edit their users attributes.
Script is as follows

###################################
$user = Read-Host -Prompt ‘Please enter your username’
$maxPasswordAge = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days
$passwordexpires = Get-ADUser $user –Properties * | Select-Object -Property @{n=“ExpirationDate”;e={$_.PasswordLastSet.AddDays($maxPasswordAge)}}
Write-Host “Your password expires on the following date $passwordexpires”

$answer = Read-Host ‘Would you like to change your password now? Please type Y or N’

If ($answer -eq ‘Y’) {
Set-ADUser -Identity $user -ChangePasswordAtLogon $true
Write-Host “Please close your Citrix browswer session and log back on. You will be prompted to change your password”
}
Else {
Write-Host ‘You will not be prompted to change your password’
}

Start-Sleep -Seconds 15
######################################

Yes i know there are easier ways of changing passwords. We need this because we were recently acquired. All of our users computers have been changed over the new companies, on their domain, on their network. There are legacy things still on our old domain that the users will need their old creds for and mgmt wants a way for them to be proactive in changing their password.

I am thinking I’ll need to create a service account in AD that has rights to change the “user must change password at next logon” attribute. How can i think incorporate that into my script above so when the user launches this via citrix it’s under the alternative credentials of the service account, so when they do select YES it can change that attribute to TRUE.

Thanks in advance.

What you’re after is Just Enough Administration, or JEA. You’d need PowerShell v5 running on a server someplace. Basic gist:

Set up a JEA endpoint that anyone can connect, but that “Runs As” an account with the needed permissions. Your tool should just use Invoke-Command to connect to that endpoint and send the user’s identify (name). Inside the endpoint, you actually run the password reset or whatever. That way, nobody needs extra permissions and no passwords change hands. This’ll require you to play around a little bit, and learn some stuff, but the path you’re going down is kinda not only a really poor practice, but also kinda doomed to failure. JEA, on the other hand, is supported and awesome.

The v4 implementation of JEA required DSC; the v5 implementation does not, so that’s probably what you want. You can use any server running v5, including a DC.

Now, this is not the place for a JEA tutorial. PowerShell.org’s YouTube page might have a session from the 2015 or 2016 Summit about it, and there are lots of tutorials out there. The commands themselves (available in PowerShell Gallery) also have decent help.

when i launch this as a regular user and choose YES to change password the error i am getting is

Set-AdUser : Insufficient access rights to perform the operation
At C:\Scripts\ResetAD.ps1 :10 char:1

  • Set-Aduser -identity $user -changepasswordatlogon $true

Don,

Perfect. Thanks for sending me in the right direction. I’ll do some research