Windows OS Hub
  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux

 Windows OS Hub / PowerShell / Generating Strong Random Password with PowerShell

January 31, 2020

Generating Strong Random Password with PowerShell

When creating new user accounts in Active Directory, an administrator sets a unique initial password for each account and tells it to a user (usually at the first logon a user is prompted to change this password by the option “User must change password at next logon” of the AD userAccountControl attribute). If you do not want to invent a new random password for each user or you are using a PowerShell script to create AD accounts, you can generate unique passwords automatically using a simple PowerShell script.

To generate a password, you can use the GeneratePassword method from the System.Web.Security.Membership class of .NET. Let’s generate a strong random password using the following PowerShell commands:

# Import System.Web assembly
Add-Type -AssemblyName System.Web
# Generate random password
[System.Web.Security.Membership]::GeneratePassword(8,2)

powershell GeneratePassword using the System.Web.Security class

The GeneratePassword method allows to generate a password up to 128 characters. The method uses two initial parameters: the password length (8 characters in my case) and the minimum number of non-alphabetical or non-numerical special characters, like !, -, $, &, @, #, %, etc(2 special characters). As you can see, according to these arguments the following password has been generated for me: QX.9ogy:

It is not recommended to use more than one or two special characters in a user password, otherwise a user won’t be able to type it without mistakes (like k};E^]$|).

Thus, if you create new users with the New-ADUser PowerShell cmdlet and want to set unique passwords for them, use the following commands:

Add-Type -AssemblyName System.Web
New-ADUser -Name "Jeremy Irons" -GivenName "Jeremy" -Surname "Irons" -SamAccountName "jirons" -UserPrincipalName "[email protected]" -Path "OU=Users,OU=Glasgow,OU=UK,DC=woshub,DC=com" –AccountPassword ([System.Web.Security.Membership]::GeneratePassword(8,2)) -ChangePasswordAtLogon $true -Enabled $true

Also, you can use the GeneratePassword method to reset Active Directory user passwords.

If your company is using a strong password policy, in some cases a password generated with the GeneratePassword method may not meet the requirements of your AD domain password policy. Prior to setting a password to a user, you can make sure that it complies with the password complexity policy. Of course, it does not make sense to check its length and the presence of username in a password. You may check if the password meets at least 3 requirements of the “Password must meet complexity requirements” policy (the password must contain at least 3 types of characters from the following list: numbers, lower-case characters, UPPER-case characters, and special characters). If the password check failed, you would have to re-generate it.

I have written a small PowerShell script that generates a new random password and checks if it meets the password complexity requirement:

Function GenerateStrongPassword ([Parameter(Mandatory=$true)][int]$PasswordLenght)
{
Add-Type -AssemblyName System.Web
$PassComplexCheck = $false
do {
$newPassword=[System.Web.Security.Membership]::GeneratePassword($PasswordLenght,1)
If ( ($newPassword -cmatch "[A-Z\p{Lu}\s]") `
-and ($newPassword -cmatch "[a-z\p{Ll}\s]") `
-and ($newPassword -match "[\d]") `
-and ($newPassword -match "[^\w]")
)
{
$PassComplexCheck=$True
}
} While ($PassComplexCheck -eq $false)
return $newPassword
}

To generate a password having 5 characters and at least one special character, run this command:

GenerateStrongPassword (5)

powershell function GenerateStrongPassword and check it comliance with the domain password policy

This script will always create a password that meets your AD password complexity policy.

2 comments
9
Facebook Twitter Google + Pinterest
Active DirectoryPowerShell
previous post
VMWare vSphere: Managing Password Expiration Settings
next post
Fixing Volume Shadow Copy (VSS) Error with Event ID 8193

Related Reading

Protecting Remote Desktop (RDP) Host from Brute Force...

February 5, 2024

Get-ADDomainController: Getting Domain Controllers Info via PowerShell

July 8, 2022

Backing Up Active Directory with Windows Server Backup

November 26, 2024

Create & Manage DNS Zones and Records with...

April 3, 2023

Disks and Partitions Management with Windows PowerShell

March 11, 2024

Fix: No Internet Access When Connected to VPN

May 5, 2025

How to Find Inactive Computers and Users in...

March 11, 2024

Taking User Desktop Screenshots with PowerShell

January 31, 2025

2 comments

Gyz August 13, 2016 - 9:32 pm

Didn’t know of this simple method, thanks for sharing. I turned your script into an easy foolproof function 😉
function Get-Password
{
  [CmdletBinding()]
  param
  (
    [Parameter(Mandatory=$false)]
    [int]
    $Length = (Read-Host ‘Password length (1 – 128)’),
    
    [Parameter(Mandatory=$false)]
    [int]
    $NonAlphabeticChars = (Read-Host ‘The number of Non-alphabetic characters’)
  )
  try
  {
  
  Add-Type -AssemblyName System.Web
  [System.Web.Security.Membership]::GeneratePassword($Length,$NonAlphabeticChars)
  }
  catch [System.ArgumentException]
  {
    # retrieve information about runtime error
    $info = [PSCustomObject]@{
      Exception = $_.Exception.Message
      Reason    = $_.CategoryInfo.Reason
      Target    = $_.CategoryInfo.TargetName
      Script    = $_.InvocationInfo.ScriptName
      Line      = $_.InvocationInfo.ScriptLineNumber
      Column    = $_.InvocationInfo.OffsetInLine
    }  
    # output information. Post-process collected info, and log info (optional)
    $info
  }
}

Reply
Himanshu March 21, 2023 - 10:42 am

H Everyone,

Can somebody help me with creating new user with generating strong password with above script?

Reply

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Recent Posts

  • Map a Network Drive over SSH (SSHFS) in Windows

    May 13, 2025
  • Configure NTP Time Source for Active Directory Domain

    May 6, 2025
  • Cannot Install Network Adapter Drivers on Windows Server

    April 29, 2025
  • Change BIOS from Legacy to UEFI without Reinstalling Windows

    April 21, 2025
  • How to Prefer IPv4 over IPv6 in Windows Networks

    April 9, 2025
  • Load Drivers from WinPE or Recovery CMD

    March 26, 2025
  • How to Block Common (Weak) Passwords in Active Directory

    March 25, 2025
  • Fix: The referenced assembly could not be found error (0x80073701) on Windows

    March 17, 2025
  • Exclude a Specific User or Computer from Group Policy

    March 12, 2025
  • AD Domain Join: Computer Account Re-use Blocked

    March 11, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Get-ADUser: Find Active Directory User Info with PowerShell
  • Configuring Proxy Settings on Windows Using Group Policy Preferences
  • Using WMI Filters to Target Group Policies in Active Directory
  • Set Desktop Wallpaper and Logon Screen Background via Group Policy
  • Using Managed Service Accounts (MSA and gMSA) in Active Directory
  • How to Set a User Thumbnail Photo in Active Directory
  • Restoring Active Directory Domain Controller from a Backup
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top