Active Directory has become a central part of managing multiple computers in an organization. It’s imporant to make sure that AD is correctly configured with the proper password policy. In order for this to happen, you must first reset your Active Directory Password at its default value: “Password never expires”. To do so, open PowerShell and run these commands:
The “set-adaccountpassword” cmdlet allows you to reset an Active Directory password. You can use this command in PowerShell and it will work on Windows Server 2003, 2008, 2012 and 2016.
It’s perfectly OK to utilize the GUI to reset Active Directory (AD) user passwords. However, when it comes to changing numerous user passwords, the GUI isn’t always the most efficient option. Fortunately, the Set-ADAccountPassword PowerShell cmdlet provides an option.
Do you have any passwords in your Active Directory that have been compromised? With Specops Password Auditor Free, you can find out.
You can easily change AD user passwords and even build complicated random passwords using PowerShell. You may also construct a script to reset AD user passwords in bulk if necessary. This article will teach you all you need to know.
Let’s get down to business!
Prerequisites
Make sure you have the necessary needs in order to follow along with this hands-on session.
- A domain in Active Directory (AD). This article will be hosted on the HomeLab.Local domain.
- You’ll need a domain-joined Windows PC to execute commands or scripts to reset AD user passwords. This training will be performed on a machine running Windows 10.
- On the Windows PC, Remote Server Administration Tools (RSAT) is already installed.
- The ability to reset AD user passwords must be granted to your domain user account.
- You’ll be resetting the password for an AD user account. The user03 AD username will be used in the examples in this tutorial.
- This lesson will utilize a code editor such as Visual Studio Code or Windows PowerShell ISE. You are allowed to use whatever coding editor you are familiar with.
- This lesson assumes you’ve already signed into your Windows PC and opened the Windows PowerShell 5.1 window.
How to Install and Import the Active Directory Module in PowerShell
Resetting AD User Passwords using the Set-ADAccountPassword Cmdlet
The ActiveDirectory PowerShell module is included in the RSAT installation by Microsoft. The ActiveDirectory module, in turn, contains the cmdlets that administrators utilize to control various parts of the Active Directory. When you need to change passwords, the Set-AdAccountPassword cmdlet is the primary hero.
Changing a User’s Password
You must have two pieces of information available before you can reset an AD user’s password. The identify of the AD user, as well as the new password to be assigned. These are the two values you’ll provide to Set-AdAccountPassword.
Follow the steps below to reset an AD user’s password now that you know which cmdlet to use and the minimum needed parameters.
1. Run the command below in PowerShell to produce the secure string representation of the new password. This command will store the plain text password to a variable after converting it to a secure string.
TIP: Double-check that the new password meets the AD password complexity criteria for your company.
Random Password Generator is a related topic.
2. Next, use the Set-ADAccountPassword command to reset the AD user’s password. The -Identity option takes the AD user’s ID, but the -NewPassword parameter accepts the secure password object you produced earlier. Finally, the -Reset option tells the cmdlet to change the password for the user.
Set-ADAccountPassword -Identity user03 -NewPassword $NewPwd -Reset Set-ADAccountPassword -Identity user03 -NewPassword $NewPwd -Reset
The -Identity argument accepts the following acceptable AD user identity values:
a well-known name (DN)
GUID is a unique identifier for (objectGUID)
Identifier for security (objectSid)
Name of the SAM account (sAMAccountName)
The command you ran will not produce any output on the screen unless there was a mistake in the password reset procedure.
3. Use the Set-ADUser command with the -ChangePasswordAtLogon $true argument to require the user to change their password at the next login.
Set-ADUser -Identity user03 -ChangePasswordAtLogon $true Set-ADUser -Identity user03 -ChangePasswordAtLogon $true Set-ADUser
Changing a User’s Password using Alternative Administrator Credentials
Administrators in certain businesses would be required to have two user accounts. One account is a regular user, while the other is an administrator. From a security aspect, separating jobs is a typical approach.
Do you have to move from your regular user account to your admin account to change an AD user’s password if your account is set up this way? Certainly not.
When using the Set-AdAccountPassword command, you may provide your admin credential using the -Credential argument. By doing so, the command will be run in the context of your admin account. To do so, follow the steps outlined below.
1. First, use the Get-Credential cmdlet to get your admin credential, then perform the command below to store it to a variable.
Get-Credential $Credential = Get-Credential $Credential $Credential $Credential
2. At the credential request screen, provide your admin username and password, then click OK.
Taking a screenshot of your admin password
3. Finally, to reset the AD user’s password, perform the instructions from the sample below.
# Make a safe password. $NewPwd = ConvertTo-SecureString “[email protected]” $NewPwd = ConvertTo-SecureString “[email protected]” -Force -AsPlainText # Specify the admin credential context and reset the AD user password. -Identity user03 -NewPassword Set-ADAccountPassword -Credential $Credential $NewPwd
Password Reset for Multiple Users
You’ve only used the Set-ADAccountPassword cmdlet to reset single-user passwords so far. Working with PowerShell, on the other hand, enables you to script large operations. You may also reset the passwords of numerous users at once using scripting.
You must first outline the high-level processes that your scripts will do before you begin composing your script. Your script should have the following elements, based on what you’ve studied so far in this article:
- From a text file, read a list of AD user identities.
- For each user, generate a unique password.
- Passwords for each user should be reset.
- When the next user logs in, force a password change.
- Provide the user’s identify as well as the new password.
You may now open your code editor and begin scripting with the high-level instructions in mind.
1. Create a text file containing a list of user identities. This is the file that your script will use as input. The text file in this example is C:Tempuserlist.txt, and it includes the user IDs shown below.
2. Next, open your code editor and create a reset-password file. ps1. Put this file in whichever folder you like. The script will be stored at C:Temp in this case.
3. After you’ve finished writing the reset-password.ps1 script, copy the code below, put it into your code editor, and save it.
# Add the ActiveDirectory module to your project. Import-module ActiveDirectory # # # # # # # # # # # # # # # # # # Take a user list from a text file. foreach ($user in $ListOfUsers) $ListOfUsers = Get-Content C:Tempuserlist.txt $ListOfUsers = Get-Content C:Tempuserlist.txt $ListOfUsers = Get-Content C:Tempuserlist.txt #Generate a 15-character password at random. $Password = -join ((33..126) | Get-Random -Count 15 | ForEach-Object $Password = -join ((33..126) | Get-Random -Count 15 | ForEach-Object $Password = $Password ) ([char]
It’s perfectly OK to utilize the GUI to reset Active Directory (AD) user passwords. However, when it comes to changing numerous user passwords, the GUI isn’t always the most efficient option. Fortunately, the Set-ADAccountPassword PowerShell cmdlet provides an option.
Do you have any passwords in your Active Directory that have been compromised? With Specops Password Auditor Free, you can find out.
You can easily change AD user passwords and even build complicated random passwords using PowerShell. You may also construct a script to reset AD user passwords in bulk if necessary. This article will teach you all you need to know.
Let’s get down to business!
Prerequisites
Make sure you have the necessary needs in order to follow along with this hands-on session.
- A domain in Active Directory (AD). This article will be hosted on the HomeLab.Local domain.
- You’ll need a domain-joined Windows PC to execute commands or scripts to reset AD user passwords. This training will be performed on a machine running Windows 10.
- On the Windows PC, Remote Server Administration Tools (RSAT) is already installed.
- The ability to reset AD user passwords must be granted to your domain user account.
- You’ll be resetting the password for an AD user account. The user03 AD username will be used in the examples in this tutorial.
- This lesson will utilize a code editor such as Visual Studio Code or Windows PowerShell ISE. You are allowed to use whatever coding editor you are familiar with.
- This lesson assumes you’ve already signed into your Windows PC and opened the Windows PowerShell 5.1 window.
How to Install and Import the Active Directory Module in PowerShell
Resetting AD User Passwords using the Set-ADAccountPassword Cmdlet
The ActiveDirectory PowerShell module is included in the RSAT installation by Microsoft. The ActiveDirectory module, in turn, contains the cmdlets that administrators utilize to control various parts of the Active Directory. When you need to change passwords, the Set-AdAccountPassword cmdlet is the primary hero.
Changing a User’s Password
You must have two pieces of information available before you can reset an AD user’s password. The identify of the AD user, as well as the new password to be assigned. These are the two values you’ll provide to Set-AdAccountPassword.
Follow the steps below to reset an AD user’s password now that you know which cmdlet to use and the minimum needed parameters.
1. Run the command below in PowerShell to produce the secure string representation of the new password. This command will store the plain text password to a variable after converting it to a secure string.
TIP: Double-check that the new password meets the AD password complexity criteria for your company.
Random Password Generator is a related topic.
2. Next, use the Set-ADAccountPassword command to reset the AD user’s password. The -Identity option takes the AD user’s ID, but the -NewPassword parameter accepts the secure password object you produced earlier. Finally, the -Reset option tells the cmdlet to change the password for the user.
Set-ADAccountPassword -Identity user03 -NewPassword $NewPwd -Reset Set-ADAccountPassword -Identity user03 -NewPassword $NewPwd -Reset
The -Identity argument accepts the following acceptable AD user identity values:
a well-known name (DN)
GUID is a unique identifier for (objectGUID)
Identifier for security (objectSid)
Name of the SAM account (sAMAccountName)
The command you ran will not produce any output on the screen unless there was a mistake in the password reset procedure.
3. Use the Set-ADUser command with the -ChangePasswordAtLogon $true argument to require the user to change their password at the next login.
Set-ADUser -Identity user03 -ChangePasswordAtLogon $true Set-ADUser -Identity user03 -ChangePasswordAtLogon $true Set-ADUser
Changing a User’s Password using Alternative Administrator Credentials
Administrators in certain businesses would be required to have two user accounts. One account is a regular user, while the other is an administrator. From a security aspect, separating jobs is a typical approach.
Do you have to move from your regular user account to your admin account to change an AD user’s password if your account is set up this way? Certainly not.
When using the Set-AdAccountPassword command, you may provide your admin credential using the -Credential argument. By doing so, the command will be run in the context of your admin account. To do so, follow the steps outlined below.
1. First, use the Get-Credential cmdlet to get your admin credential, then perform the command below to store it to a variable.
Get-Credential $Credential = Get-Credential $Credential $Credential $Credential
2. At the credential request screen, provide your admin username and password, then click OK.
Taking a screenshot of your admin password
3. Finally, to reset the AD user’s password, perform the instructions from the sample below.
# Make a safe password. $NewPwd = ConvertTo-SecureString “[email protected]” $NewPwd = ConvertTo-SecureString “[email protected]” -Force -AsPlainText # Specify the admin credential context and reset the AD user password. -Identity user03 -NewPassword Set-ADAccountPassword -Credential $Credential $NewPwd
Password Reset for Multiple Users
You’ve only used the Set-ADAccountPassword cmdlet to reset single-user passwords so far. Working with PowerShell, on the other hand, enables you to script large operations. You may also reset the passwords of numerous users at once using scripting.
You must first outline the high-level processes that your scripts will do before you begin composing your script. Your script should have the following elements, based on what you’ve studied so far in this article:
- From a text file, read a list of AD user identities.
- For each user, generate a unique password.
- Passwords for each user should be reset.
- When the next user logs in, force a password change.
- Provide the user’s identify as well as the new password.
You may now open your code editor and begin scripting with the high-level instructions in mind.
1. Create a text file containing a list of user identities. This is the file that your script will use as input. The text file in this example is C:Tempuserlist.txt, and it includes the user IDs shown below.
2. Next, open your code editor and create a reset-password file. ps1. Put this file in whichever folder you like. The script will be stored at C:Temp in this case.
3. After you’ve finished writing the reset-password.ps1 script, copy the code below, put it into your code editor, and save it.
# Import ActiveDirectory module Import-module ActiveDirectory # Grab list of users from a text file. $ListOfUsers = Get-Content C:Tempuserlist.txt foreach ($user in $ListOfUsers) { #Generate a 15-character random password. $Password = -join ((33..126) | Get-Random -Count 15 | ForEach-Object { [char]$_ }) #Convert the password to secure string. $NewPwd = ConvertTo-SecureString $Password -AsPlainText -Force #Assign the new password to the user. Set-ADAccountPassword $user -NewPassword $NewPwd -Reset #Force user to change password at next logon. Set-ADUser -Identity $user -ChangePasswordAtLogon $true #Display userid and new password on the console. Write-Host $user, $Password }
Back to the Basics with PowerShell’s Foreach Loop
4. Finally, start the script in PowerShell by typing its whole path, as shown below.
C:Tempreset-password.ps1
As a consequence, each user now has their own personal password, as seen in the figure below. These passwords may now be copied and sent to their appropriate users.
Multiple passwords need to be reset
Resetting AD User Passwords using ADSI
You may also utilize the Active Directory Service Interface (ADSI) in PowerShell to reset an AD user’s password. ADSI may be used to reset passwords on systems where the RSAT is not accessible, and it works with previous PowerShell versions and any Active Directory version.
To utilize ADSI in PowerShell to reset an AD user’s password, follow the instructions below.
The procedures below presume you’re using a machine that doesn’t have the RSAT capability.
1. Determine the AD user’s differentiated name. In this case, the differentiated name of the user03 user is LDAP:/CN=user03,CN=Users,DC=HomeLab,DC=Local.
2. Run the code below to create an ADSI object containing the AD user.
$userrid = [ADSI]”LDAP:/CN=user03,CN=Users,DC=HomeLab,DC=Local” $userrid = [ADSI]”LDAP:/CN=user03,CN=Users,DC=HomeLab,DC=Local”
Note that the LDAP portion of the differentiated name should always be written in capital letters. The password reset will not function if you use lower case letters.
Understanding PowerShell Data Types and Accelerators is related.
Run the command below to set the password for the AD user. The SetPassword function of the ADSI object is called with this command. $userid.psbase.invoke(“SetPassword”,'[email protected]’)
After you’ve changed the password for the AD user, execute the command below to call the ADSI object’s CommitChanges() function. This technique completes the password change for the user. $userid.psbase.CommitChanges()
Do you have any passwords in your Active Directory that have been compromised? With Specops Password Auditor Free, you can find out.
Conclusion
The goal of this post is to show you a better way to reset AD user passwords. You’ve learned how to utilize the Set-ADAccountPassword cmdlet and ADSI to reset AD user passwords using PowerShell.
Would you still use the GUI to meticulously reset passwords now that you know what you know? Will you go the extra mile and create a reusable AD password function?
) ( [char]
It’s perfectly OK to utilize the GUI to reset Active Directory (AD) user passwords. However, when it comes to changing numerous user passwords, the GUI isn’t always the most efficient option. Fortunately, the Set-ADAccountPassword PowerShell cmdlet provides an option.
Do you have any passwords in your Active Directory that have been compromised? With Specops Password Auditor Free, you can find out.
You can easily change AD user passwords and even build complicated random passwords using PowerShell. You may also construct a script to reset AD user passwords in bulk if necessary. This article will teach you all you need to know.
Let’s get down to business!
Prerequisites
Make sure you have the necessary needs in order to follow along with this hands-on session.
- A domain in Active Directory (AD). This article will be hosted on the HomeLab.Local domain.
- You’ll need a domain-joined Windows PC to execute commands or scripts to reset AD user passwords. This training will be performed on a machine running Windows 10.
- On the Windows PC, Remote Server Administration Tools (RSAT) is already installed.
- The ability to reset AD user passwords must be granted to your domain user account.
- You’ll be resetting the password for an AD user account. The user03 AD username will be used in the examples in this tutorial.
- This lesson will utilize a code editor such as Visual Studio Code or Windows PowerShell ISE. You are allowed to use whatever coding editor you are familiar with.
- This lesson assumes you’ve already signed into your Windows PC and opened the Windows PowerShell 5.1 window.
How to Install and Import the Active Directory Module in PowerShell
Resetting AD User Passwords using the Set-ADAccountPassword Cmdlet
The ActiveDirectory PowerShell module is included in the RSAT installation by Microsoft. The ActiveDirectory module, in turn, contains the cmdlets that administrators utilize to control various parts of the Active Directory. When you need to change passwords, the Set-AdAccountPassword cmdlet is the primary hero.
Changing a User’s Password
You must have two pieces of information available before you can reset an AD user’s password. The identify of the AD user, as well as the new password to be assigned. These are the two values you’ll provide to Set-AdAccountPassword.
Follow the steps below to reset an AD user’s password now that you know which cmdlet to use and the minimum needed parameters.
1. Run the command below in PowerShell to produce the secure string representation of the new password. This command will store the plain text password to a variable after converting it to a secure string.
TIP: Double-check that the new password meets the AD password complexity criteria for your company.
Random Password Generator is a related topic.
2. Next, use the Set-ADAccountPassword command to reset the AD user’s password. The -Identity option takes the AD user’s ID, but the -NewPassword parameter accepts the secure password object you produced earlier. Finally, the -Reset option tells the cmdlet to change the password for the user.
Set-ADAccountPassword -Identity user03 -NewPassword $NewPwd -Reset Set-ADAccountPassword -Identity user03 -NewPassword $NewPwd -Reset
The -Identity argument accepts the following acceptable AD user identity values:
a well-known name (DN)
GUID is a unique identifier for (objectGUID)
Identifier for security (objectSid)
Name of the SAM account (sAMAccountName)
The command you ran will not produce any output on the screen unless there was a mistake in the password reset procedure.
3. Use the Set-ADUser command with the -ChangePasswordAtLogon $true argument to require the user to change their password at the next login.
Set-ADUser -Identity user03 -ChangePasswordAtLogon $true Set-ADUser -Identity user03 -ChangePasswordAtLogon $true Set-ADUser
Changing a User’s Password using Alternative Administrator Credentials
Administrators in certain businesses would be required to have two user accounts. One account is a regular user, while the other is an administrator. From a security aspect, separating jobs is a typical approach.
Do you have to move from your regular user account to your admin account to change an AD user’s password if your account is set up this way? Certainly not.
When using the Set-AdAccountPassword command, you may provide your admin credential using the -Credential argument. By doing so, the command will be run in the context of your admin account. To do so, follow the steps outlined below.
1. First, use the Get-Credential cmdlet to get your admin credential, then perform the command below to store it to a variable.
Get-Credential $Credential = Get-Credential $Credential $Credential $Credential
2. At the credential request screen, provide your admin username and password, then click OK.
Taking a screenshot of your admin password
3. Finally, to reset the AD user’s password, perform the instructions from the sample below.
# Make a safe password. $NewPwd = ConvertTo-SecureString “[email protected]” $NewPwd = ConvertTo-SecureString “[email protected]” -Force -AsPlainText # Specify the admin credential context and reset the AD user password. -Identity user03 -NewPassword Set-ADAccountPassword -Credential $Credential $NewPwd
Password Reset for Multiple Users
You’ve only used the Set-ADAccountPassword cmdlet to reset single-user passwords so far. Working with PowerShell, on the other hand, enables you to script large operations. You may also reset the passwords of numerous users at once using scripting.
You must first outline the high-level processes that your scripts will do before you begin composing your script. Your script should have the following elements, based on what you’ve studied so far in this article:
- From a text file, read a list of AD user identities.
- For each user, generate a unique password.
- Passwords for each user should be reset.
- When the next user logs in, force a password change.
- Provide the user’s identify as well as the new password.
You may now open your code editor and begin scripting with the high-level instructions in mind.
1. Create a text file containing a list of user identities. This is the file that your script will use as input. The text file in this example is C:Tempuserlist.txt, and it includes the user IDs shown below.
2. Next, open your code editor and create a reset-password file. ps1. Put this file in whichever folder you like. The script will be stored at C:Temp in this case.
3. After you’ve finished writing the reset-password.ps1 script, copy the code below, put it into your code editor, and save it.
# Import ActiveDirectory module Import-module ActiveDirectory # Grab list of users from a text file. $ListOfUsers = Get-Content C:Tempuserlist.txt foreach ($user in $ListOfUsers) { #Generate a 15-character random password. $Password = -join ((33..126) | Get-Random -Count 15 | ForEach-Object { [char]$_ }) #Convert the password to secure string. $NewPwd = ConvertTo-SecureString $Password -AsPlainText -Force #Assign the new password to the user. Set-ADAccountPassword $user -NewPassword $NewPwd -Reset #Force user to change password at next logon. Set-ADUser -Identity $user -ChangePasswordAtLogon $true #Display userid and new password on the console. Write-Host $user, $Password }
Back to the Basics with PowerShell’s Foreach Loop
4. Finally, start the script in PowerShell by typing its whole path, as shown below.
C:Tempreset-password.ps1
As a consequence, each user now has their own personal password, as seen in the figure below. These passwords may now be copied and sent to their appropriate users.
Multiple passwords need to be reset
Resetting AD User Passwords using ADSI
You may also utilize the Active Directory Service Interface (ADSI) in PowerShell to reset an AD user’s password. ADSI may be used to reset passwords on systems where the RSAT is not accessible, and it works with previous PowerShell versions and any Active Directory version.
To utilize ADSI in PowerShell to reset an AD user’s password, follow the instructions below.
The procedures below presume you’re using a machine that doesn’t have the RSAT capability.
1. Determine the AD user’s differentiated name. In this case, the differentiated name of the user03 user is LDAP:/CN=user03,CN=Users,DC=HomeLab,DC=Local.
2. Run the code below to create an ADSI object containing the AD user.
$userrid = [ADSI]”LDAP:/CN=user03,CN=Users,DC=HomeLab,DC=Local” $userrid = [ADSI]”LDAP:/CN=user03,CN=Users,DC=HomeLab,DC=Local”
Note that the LDAP portion of the differentiated name should always be written in capital letters. The password reset will not function if you use lower case letters.
Understanding PowerShell Data Types and Accelerators is related.
Run the command below to set the password for the AD user. The SetPassword function of the ADSI object is called with this command. $userid.psbase.invoke(“SetPassword”,'[email protected]’)
After you’ve changed the password for the AD user, execute the command below to call the ADSI object’s CommitChanges() function. This technique completes the password change for the user. $userid.psbase.CommitChanges()
Do you have any passwords in your Active Directory that have been compromised? With Specops Password Auditor Free, you can find out.
Conclusion
The goal of this post is to show you a better way to reset AD user passwords. You’ve learned how to utilize the Set-ADAccountPassword cmdlet and ADSI to reset AD user passwords using PowerShell.
Would you still use the GUI to meticulously reset passwords now that you know what you know? Will you go the extra mile and create a reusable AD password function?
) ( [char]
It’s perfectly OK to utilize the GUI to reset Active Directory (AD) user passwords. However, when it comes to changing numerous user passwords, the GUI isn’t always the most efficient option. Fortunately, the Set-ADAccountPassword PowerShell cmdlet provides an option.
Do you have any passwords in your Active Directory that have been compromised? With Specops Password Auditor Free, you can find out.
You can easily change AD user passwords and even build complicated random passwords using PowerShell. You may also construct a script to reset AD user passwords in bulk if necessary. This article will teach you all you need to know.
Let’s get down to business!
Prerequisites
Make sure you have the necessary needs in order to follow along with this hands-on session.
- A domain in Active Directory (AD). This article will be hosted on the HomeLab.Local domain.
- You’ll need a domain-joined Windows PC to execute commands or scripts to reset AD user passwords. This training will be performed on a machine running Windows 10.
- On the Windows PC, Remote Server Administration Tools (RSAT) is already installed.
- The ability to reset AD user passwords must be granted to your domain user account.
- You’ll be resetting the password for an AD user account. The user03 AD username will be used in the examples in this tutorial.
- This lesson will utilize a code editor such as Visual Studio Code or Windows PowerShell ISE. You are allowed to use whatever coding editor you are familiar with.
- This lesson assumes you’ve already signed into your Windows PC and opened the Windows PowerShell 5.1 window.
How to Install and Import the Active Directory Module in PowerShell
Resetting AD User Passwords using the Set-ADAccountPassword Cmdlet
The ActiveDirectory PowerShell module is included in the RSAT installation by Microsoft. The ActiveDirectory module, in turn, contains the cmdlets that administrators utilize to control various parts of the Active Directory. When you need to change passwords, the Set-AdAccountPassword cmdlet is the primary hero.
Changing a User’s Password
You must have two pieces of information available before you can reset an AD user’s password. The identify of the AD user, as well as the new password to be assigned. These are the two values you’ll provide to Set-AdAccountPassword.
Follow the steps below to reset an AD user’s password now that you know which cmdlet to use and the minimum needed parameters.
1. Run the command below in PowerShell to produce the secure string representation of the new password. This command will store the plain text password to a variable after converting it to a secure string.
TIP: Double-check that the new password meets the AD password complexity criteria for your company.
Random Password Generator is a related topic.
2. Next, use the Set-ADAccountPassword command to reset the AD user’s password. The -Identity option takes the AD user’s ID, but the -NewPassword parameter accepts the secure password object you produced earlier. Finally, the -Reset option tells the cmdlet to change the password for the user.
Set-ADAccountPassword -Identity user03 -NewPassword $NewPwd -Reset Set-ADAccountPassword -Identity user03 -NewPassword $NewPwd -Reset
The -Identity argument accepts the following acceptable AD user identity values:
a well-known name (DN)
GUID is a unique identifier for (objectGUID)
Identifier for security (objectSid)
Name of the SAM account (sAMAccountName)
The command you ran will not produce any output on the screen unless there was a mistake in the password reset procedure.
3. Use the Set-ADUser command with the -ChangePasswordAtLogon $true argument to require the user to change their password at the next login.
Set-ADUser -Identity user03 -ChangePasswordAtLogon $true Set-ADUser -Identity user03 -ChangePasswordAtLogon $true Set-ADUser
Changing a User’s Password using Alternative Administrator Credentials
Administrators in certain businesses would be required to have two user accounts. One account is a regular user, while the other is an administrator. From a security aspect, separating jobs is a typical approach.
Do you have to move from your regular user account to your admin account to change an AD user’s password if your account is set up this way? Certainly not.
When using the Set-AdAccountPassword command, you may provide your admin credential using the -Credential argument. By doing so, the command will be run in the context of your admin account. To do so, follow the steps outlined below.
1. First, use the Get-Credential cmdlet to get your admin credential, then perform the command below to store it to a variable.
Get-Credential $Credential = Get-Credential $Credential $Credential $Credential
2. At the credential request screen, provide your admin username and password, then click OK.
Taking a screenshot of your admin password
3. Finally, to reset the AD user’s password, perform the instructions from the sample below.
# Make a safe password. $NewPwd = ConvertTo-SecureString “[email protected]” $NewPwd = ConvertTo-SecureString “[email protected]” -Force -AsPlainText # Specify the admin credential context and reset the AD user password. -Identity user03 -NewPassword Set-ADAccountPassword -Credential $Credential $NewPwd
Password Reset for Multiple Users
You’ve only used the Set-ADAccountPassword cmdlet to reset single-user passwords so far. Working with PowerShell, on the other hand, enables you to script large operations. You may also reset the passwords of numerous users at once using scripting.
You must first outline the high-level processes that your scripts will do before you begin composing your script. Your script should have the following elements, based on what you’ve studied so far in this article:
- From a text file, read a list of AD user identities.
- For each user, generate a unique password.
- Passwords for each user should be reset.
- When the next user logs in, force a password change.
- Provide the user’s identify as well as the new password.
You may now open your code editor and begin scripting with the high-level instructions in mind.
1. Create a text file containing a list of user identities. This is the file that your script will use as input. The text file in this example is C:Tempuserlist.txt, and it includes the user IDs shown below.
2. Next, open your code editor and create a reset-password file. ps1. Put this file in whichever folder you like. The script will be stored at C:Temp in this case.
3. After you’ve finished writing the reset-password.ps1 script, copy the code below, put it into your code editor, and save it.
# Import ActiveDirectory module Import-module ActiveDirectory # Grab list of users from a text file. $ListOfUsers = Get-Content C:Tempuserlist.txt foreach ($user in $ListOfUsers) { #Generate a 15-character random password. $Password = -join ((33..126) | Get-Random -Count 15 | ForEach-Object { [char]$_ }) #Convert the password to secure string. $NewPwd = ConvertTo-SecureString $Password -AsPlainText -Force #Assign the new password to the user. Set-ADAccountPassword $user -NewPassword $NewPwd -Reset #Force user to change password at next logon. Set-ADUser -Identity $user -ChangePasswordAtLogon $true #Display userid and new password on the console. Write-Host $user, $Password }
Back to the Basics with PowerShell’s Foreach Loop
4. Finally, start the script in PowerShell by typing its whole path, as shown below.
C:Tempreset-password.ps1
As a consequence, each user now has their own personal password, as seen in the figure below. These passwords may now be copied and sent to their appropriate users.
Multiple passwords need to be reset
Resetting AD User Passwords using ADSI
You may also utilize the Active Directory Service Interface (ADSI) in PowerShell to reset an AD user’s password. ADSI may be used to reset passwords on systems where the RSAT is not accessible, and it works with previous PowerShell versions and any Active Directory version.
To utilize ADSI in PowerShell to reset an AD user’s password, follow the instructions below.
The procedures below presume you’re using a machine that doesn’t have the RSAT capability.
1. Determine the AD user’s differentiated name. In this case, the differentiated name of the user03 user is LDAP:/CN=user03,CN=Users,DC=HomeLab,DC=Local.
2. Run the code below to create an ADSI object containing the AD user.
$userrid = [ADSI]”LDAP:/CN=user03,CN=Users,DC=HomeLab,DC=Local” $userrid = [ADSI]”LDAP:/CN=user03,CN=Users,DC=HomeLab,DC=Local”
Note that the LDAP portion of the differentiated name should always be written in capital letters. The password reset will not function if you use lower case letters.
Understanding PowerShell Data Types and Accelerators is related.
Run the command below to set the password for the AD user. The SetPassword function of the ADSI object is called with this command. $userid.psbase.invoke(“SetPassword”,'[email protected]’)
After you’ve changed the password for the AD user, execute the command below to call the ADSI object’s CommitChanges() function. This technique completes the password change for the user. $userid.psbase.CommitChanges()
Do you have any passwords in your Active Directory that have been compromised? With Specops Password Auditor Free, you can find out.
Conclusion
The goal of this post is to show you a better way to reset AD user passwords. You’ve learned how to utilize the Set-ADAccountPassword cmdlet and ADSI to reset AD user passwords using PowerShell.
Would you still use the GUI to meticulously reset passwords now that you know what you know? Will you go the extra mile and create a reusable AD password function?
) ( # Make a secure string out of the password. ConvertTo-SecureString $NewPwd #Assign the new password to the user using $Password -AsPlainText -Force. Set-ADAccountPassword -NewPassword $user $NewPwd -Reset # $NewPwd -Reset # $NewPwd – Force the user to change their password the next time they check in. Set-ADUser -Identity is a command that sets the identity of an ADUser. -ChangePasswordAtLogon $user $true #Display the new password and userid on the console. $user, $Password -Host $user, $Password -Host $user, $Password -Host $
Back to the Basics with PowerShell’s Foreach Loop
4. Finally, start the script in PowerShell by typing its whole path, as shown below.
C:Tempreset-password.ps1
As a consequence, each user now has their own personal password, as seen in the figure below. These passwords may now be copied and sent to their appropriate users.
Multiple passwords need to be reset
Resetting AD User Passwords using ADSI
You may also utilize the Active Directory Service Interface (ADSI) in PowerShell to reset an AD user’s password. ADSI may be used to reset passwords on systems where the RSAT is not accessible, and it works with previous PowerShell versions and any Active Directory version.
To utilize ADSI in PowerShell to reset an AD user’s password, follow the instructions below.
The procedures below presume you’re using a machine that doesn’t have the RSAT capability.
1. Determine the AD user’s differentiated name. In this case, the differentiated name of the user03 user is LDAP:/CN=user03,CN=Users,DC=HomeLab,DC=Local.
2. Run the code below to create an ADSI object containing the AD user.
$userrid = [ADSI]”LDAP:/CN=user03,CN=Users,DC=HomeLab,DC=Local” $userrid = [ADSI]”LDAP:/CN=user03,CN=Users,DC=HomeLab,DC=Local”
Note that the LDAP portion of the differentiated name should always be written in capital letters. The password reset will not function if you use lower case letters.
Understanding PowerShell Data Types and Accelerators is related.
Run the command below to set the password for the AD user. The SetPassword function of the ADSI object is called with this command. $userid.psbase.invoke(“SetPassword”,'[email protected]’)
After you’ve changed the password for the AD user, execute the command below to call the ADSI object’s CommitChanges() function. This technique completes the password change for the user. $userid.psbase.CommitChanges()
Do you have any passwords in your Active Directory that have been compromised? With Specops Password Auditor Free, you can find out.
Conclusion
The goal of this post is to show you a better way to reset AD user passwords. You’ve learned how to utilize the Set-ADAccountPassword cmdlet and ADSI to reset AD user passwords using PowerShell.
Would you still use the GUI to meticulously reset passwords now that you know what you know? Will you go the extra mile and create a reusable AD password function?
The “powershell change local user password remotely” is a command-line tool that allows users to reset an Active Directory password. It’s easy and doesn’t require any third-party applications.
Frequently Asked Questions
How do I reset my active directory password?
A: This is a difficult question to answer, as there are many ways that it can be done. However, the common methods of resetting your password include logging into the Active Directory website in your web browser and navigating to Change Password or contacting an administrator at your companys IT department with any questions about changing passwords
What is the PowerShell command to reset password?
A: There is no command to reset a password in PowerShell.
How do you unlock an ad account in PowerShell?
Related Tags
- reset password multiple users active directory powershell
- powershell set-adaccountpassword
- powershell script to reset ad password from csv
- script to reset password in active directory for multiple users
- set-adaccountpassword force password change