Windows OS Hub
  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange

 Windows OS Hub / PowerShell / How to Reset a User Password in Active Directory with PowerShell?

August 23, 2019 Active DirectoryPowerShell

How to Reset a User Password in Active Directory with PowerShell?

In this article we’ll consider how to change (or reset) a users’ Active Directory passwords using the PowerShell cmdlet Set-ADAccountPassword.

Most administrators usually change (reset) AD user passwords through the graphical snap-in dsa.msc (Active Directory Users & Computers). To do it, you must run the ADUC console, search for the user account in the AD domain, right-click on it and select Reset password. This is a simple and straightforward way to reset the password of the current selected user.

reset user password using mmc console active directory users and computers

But you won’t be able to use the ADUC console to reset passwords of multiple users or use the reset password procedure as one of the automation script actions. In this case, you can reset AD passwords using the PowerShell command prompt.

Contents:
  • Using Set-ADAccountPassword to Reset User’s Password in Active Directory
  • Using PowerShell to Reset Multiple AD User Passwords

Using Set-ADAccountPassword to Reset User’s Password in Active Directory

To reset a user password in AD, the Set-ADAccountPassword cmdlet is used, it is a part of the Active Directory for Windows PowerShell module (in desktop Windows version it is a part of RSAT, and in server editions it is installed as a separate component of AD DS Snap-Ins and Command-Line Tools). Before using AD cmdlets, you must import it into a PowerShell session:

Import-module ActiveDirectory

To reset a user password, your account must have the corresponding privileges in the AD domain. Of course, by default non-admin AD users cannot reset passwords of other accounts. To allow a user or a group of users to reset passwords of other users, you must delegate the permissions to reset the password on the AD container (Organizational Unit) or add an account to the built-in domain group Account Operators.

To verify that your account has the permissions to reset the password of a specific AD user, open its properties, go to the Security tab -> Advanced -> Effective Access -> specify the name of your account -> make sure that you have Reset Password permission.

ad permissions to reset user password

To reset a password for the user jliebert and set a new password myP@ssw0rd112, run this command:

Set-ADAccountPassword jliebert -Reset -NewPassword (ConvertTo-SecureString -AsPlainText “myP@ssw0rd112” -Force -Verbose) –PassThru

Set-ADAccountPassword - reset the ad user password from powershell

By default, the cmdlet returns the object and displays nothing in the console. To display the information about the user object in AD, we use the –PassThru parameter.

You can specify sAMAccountName (as in our case), objectGUID, user’s SID or a DN (Distinguished Name, e. g., CN=jliebert,OU=Users,DC=woshub,DC=com) as a user name.

If you don’t specify the –Reset parameter when changing a user password, you must manually input the old and new account passwords.

Note. When resetting the password using the Set-ADAccountPassword cmdlet you can see the following error:

Set-ADAccountPassword: The password does not meet the length, complexity, or history requirement of the domain.

It means that the user password has some complexity, length, etc. requirements defined in the domain password policy or fine-grained password policy the account is subject to.

If you have PowerShell command history enabled and you don’t want passwords to be displayed in the PoSh console as plain text, you must convert the password into a secure string (you can read more about password protection in PowerShell scripts here) in the same way as when creating a new user account:

$NewPasswd=Read-Host "Enter a new user password" –AsSecureString

enter password as security string

Now reset the password:

Set-ADAccountPassword jliebert -Reset –NewPassword $NewPasswd –PassThru

When resetting a password, you can force the account unlock, even if it is locked (on how to find what computer locks the account, read the article Identify the source of Account Lockouts in Active Directory):

Unlock-ADAccount –Identity jliebert

In order a user to change a password at the next logon to the domain, run the following command:

Set-ADUser -Identity jliebert -ChangePasswordAtLogon $true

You can combine the password change command and the requirement to change the password (this is the userAccountControl object attribute) in the PowerShell one-liner:

Set-ADAccountPassword jliebert -NewPassword $NewPasswd -Reset -PassThru | Set-ADuser -ChangePasswordAtLogon $True

Using the Get-ADUser cmdlet, you can make sure that the password has been successfully reset and display the last date of the account password change:

Get-ADUser jliebert -Properties * | select name, pass*

get-aduser last pasword change date

When resetting the password, the EventID 4724 is registered on the domain controller (DC) security log. This event can help you to check who reset the user password in AD.

Using PowerShell to Reset Multiple AD User Passwords

Above we have shown how to reset the password of a single AD user from PowerShell console. Let’s consider another scenario when you need to change the passwords of multiple users at once.

The easiest case is when you have to reset passwords of the users with the same AD account properties. For example, you need to change the passwords of all Sales department users to the same one and make them change it at the next logon:

get-aduser -filter "department -eq 'Sales Dept' -AND enabled -eq 'True'" | Set-ADAccountPassword -NewPassword $NewPasswd -Reset -PassThru | Set-ADuser -ChangePasswordAtLogon $True

Let’s consider another case. Suppose, you have a CSV / Excel file that contains a list of users you want to reset passwords of and set a unique password for every user. Here is the format of the users.csv file:

sAMAccountName;NewPassword
acidicjustine;Pa$$w0r1
josephomoore;N$isory01
simonecole;k@32d3!2

Using this PowerShell script, you can reset a password of each account in the specified csv file:

Import-Csv users.csv -Delimiter ";" | Foreach {
$NewPass = ConvertTo-SecureString -AsPlainText $_.NewPassword -Force
Set-ADAccountPassword -Identity $_.sAMAccountName -NewPassword $NewPass -Reset -PassThru | Set-ADUser -ChangePasswordAtLogon $false
}

After this code is executed, a new unique password will be set for all AD users in the file.

0 comment
0
Facebook Twitter Google + Pinterest
previous post
Changing Desktop Background Wallpaper in Windows through GPO
next post
Test-NetConnection: Check for Open/Closed Ports from PowerShell

Related Reading

How to Sign a PowerShell Script (PS1) with...

February 25, 2021

Configuring PowerShell Script Execution Policy

February 18, 2021

Configuring Proxy Settings on Windows Using Group Policy...

February 17, 2021

Updating Group Policy Settings on Windows Domain Computers

February 16, 2021

How to Find Inactive Computers and Users in...

January 29, 2021

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange
  • Windows 10
  • Windows 8
  • Windows 7
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2008 R2
  • PowerShell
  • VMWare
  • MS Office

Recent Posts

  • How to Troubleshoot, Repair and Rebuild the WMI Repository?

    March 2, 2021
  • Accessing USB Flash Drive from VMWare ESXi

    February 26, 2021
  • How to Sign a PowerShell Script (PS1) with a Code Signing Certificate?

    February 25, 2021
  • Change the Default Port Number (TCP/1433) for a MS SQL Server Instance

    February 24, 2021
  • How to Shadow (Remote Control) a User’s RDP session on RDS Windows Server 2016/2019?

    February 22, 2021
  • Configuring PowerShell Script Execution Policy

    February 18, 2021
  • Configuring Proxy Settings on Windows Using Group Policy Preferences

    February 17, 2021
  • Updating Group Policy Settings on Windows Domain Computers

    February 16, 2021
  • Managing Administrative Shares (Admin$, IPC$, C$, D$) in Windows 10

    February 11, 2021
  • Packet Monitor (PktMon) – Built-in Packet Sniffer in Windows 10

    February 10, 2021

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • How to Configure Google Chrome Using Group Policy ADMX Templates?
  • Allow RDP Access to Domain Controller for Non-admin Users
  • Get-ADUser: Getting Active Directory Users Info via PowerShell
  • Get-ADComputer: Find Computer Details in Active Directory with PowerShell
  • How to Find the Source of Account Lockouts in Active Directory domain?
  • Changing Desktop Background Wallpaper in Windows through GPO
  • How to Refresh AD Groups Membership without Reboot/Logoff?
Footer Logo

@2014 - 2018 - Windows OS Hub. All about operating systems for sysadmins


Back To Top