Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / PowerShell / Generating Strong Random Password with PowerShell

January 31, 2020 Active DirectoryPowerShell

Generating Strong Random Password with PowerShell

When creating new user accounts in Active Directory, an administrator sets a unique initial password for each account and tells it to a user (usually at the first logon a user is prompted to change this password by the option “User must change password at next logon” of the AD userAccountControl attribute). If you do not want to invent a new random password for each user or you are using a PowerShell script to create AD accounts, you can generate unique passwords automatically using a simple PowerShell script.

To generate a password, you can use the GeneratePassword method from the System.Web.Security.Membership class of .NET. Let’s generate a strong random password using the following PowerShell commands:

# Import System.Web assembly
Add-Type -AssemblyName System.Web
# Generate random password
[System.Web.Security.Membership]::GeneratePassword(8,2)

powershell GeneratePassword using the System.Web.Security class

The GeneratePassword method allows to generate a password up to 128 characters. The method uses two initial parameters: the password length (8 characters in my case) and the minimum number of non-alphabetical or non-numerical special characters, like !, -, $, &, @, #, %, etc(2 special characters). As you can see, according to these arguments the following password has been generated for me: QX.9ogy:

It is not recommended to use more than one or two special characters in a user password, otherwise a user won’t be able to type it without mistakes (like k};E^]$|).

Thus, if you create new users with the New-ADUser PowerShell cmdlet and want to set unique passwords for them, use the following commands:

Add-Type -AssemblyName System.Web
New-ADUser -Name "Jeremy Irons" -GivenName "Jeremy" -Surname "Irons" -SamAccountName "jirons" -UserPrincipalName "jirons@woshub.com" -Path "OU=Users,OU=Glasgow,OU=UK,DC=woshub,DC=com" –AccountPassword ([System.Web.Security.Membership]::GeneratePassword(8,2)) -ChangePasswordAtLogon $true -Enabled $true

Also, you can use the GeneratePassword method to reset Active Directory user passwords.

If your company is using a strong password policy, in some cases a password generated with the GeneratePassword method may not meet the requirements of your AD domain password policy. Prior to setting a password to a user, you can make sure that it complies with the password complexity policy. Of course, it does not make sense to check its length and the presence of username in a password. You may check if the password meets at least 3 requirements of the “Password must meet complexity requirements” policy (the password must contain at least 3 types of characters from the following list: numbers, lower-case characters, UPPER-case characters, and special characters). If the password check failed, you would have to re-generate it.

I have written a small PowerShell script that generates a new random password and checks if it meets the password complexity requirement:

Function GenerateStrongPassword ([Parameter(Mandatory=$true)][int]$PasswordLenght)
{
Add-Type -AssemblyName System.Web
$PassComplexCheck = $false
do {
$newPassword=[System.Web.Security.Membership]::GeneratePassword($PasswordLenght,1)
If ( ($newPassword -cmatch "[A-Z\p{Lu}\s]") `
-and ($newPassword -cmatch "[a-z\p{Ll}\s]") `
-and ($newPassword -match "[\d]") `
-and ($newPassword -match "[^\w]")
)
{
$PassComplexCheck=$True
}
} While ($PassComplexCheck -eq $false)
return $newPassword
}

To generate a password having 5 characters and at least one special character, run this command:

GenerateStrongPassword (5)

powershell function GenerateStrongPassword and check it comliance with the domain password policy

This script will always create a password that meets your AD password complexity policy.

2 comments
3
Facebook Twitter Google + Pinterest
previous post
VMWare vSphere: Managing Password Expiration Settings
next post
Fixing Volume Shadow Copy (VSS) Error with Event ID 8193

Related Reading

Configuring Event Viewer Log Size on Windows

May 24, 2023

How to Detect Who Changed the File/Folder NTFS...

May 24, 2023

Enable Single Sign-On (SSO) Authentication on RDS Windows...

May 23, 2023

Allow Non-admin Users RDP Access to Windows Server

May 22, 2023

How to Create, Change, and Remove Local Users...

May 17, 2023

2 comments

Gyz August 13, 2016 - 9:32 pm

Didn’t know of this simple method, thanks for sharing. I turned your script into an easy foolproof function 😉
function Get-Password
{
  [CmdletBinding()]
  param
  (
    [Parameter(Mandatory=$false)]
    [int]
    $Length = (Read-Host ‘Password length (1 – 128)’),
    
    [Parameter(Mandatory=$false)]
    [int]
    $NonAlphabeticChars = (Read-Host ‘The number of Non-alphabetic characters’)
  )
  try
  {
  
  Add-Type -AssemblyName System.Web
  [System.Web.Security.Membership]::GeneratePassword($Length,$NonAlphabeticChars)
  }
  catch [System.ArgumentException]
  {
    # retrieve information about runtime error
    $info = [PSCustomObject]@{
      Exception = $_.Exception.Message
      Reason    = $_.CategoryInfo.Reason
      Target    = $_.CategoryInfo.TargetName
      Script    = $_.InvocationInfo.ScriptName
      Line      = $_.InvocationInfo.ScriptLineNumber
      Column    = $_.InvocationInfo.OffsetInLine
    }  
    # output information. Post-process collected info, and log info (optional)
    $info
  }
}

Reply
Himanshu March 21, 2023 - 10:42 am

H Everyone,

Can somebody help me with creating new user with generating strong password with above script?

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Configuring Event Viewer Log Size on Windows

    May 24, 2023
  • How to Detect Who Changed the File/Folder NTFS Permissions on Windows?

    May 24, 2023
  • Enable Single Sign-On (SSO) Authentication on RDS Windows Server

    May 23, 2023
  • Allow Non-admin Users RDP Access to Windows Server

    May 22, 2023
  • How to Create, Change, and Remove Local Users or Groups with PowerShell?

    May 17, 2023
  • Fix: BSOD Error 0x0000007B (INACCESSABLE_BOOT_DEVICE) on Windows

    May 16, 2023
  • View Success and Failed Local Logon Attempts on Windows

    May 2, 2023
  • Fix: “Something Went Wrong” Error When Installing Teams

    May 2, 2023
  • Querying Windows Event Logs with PowerShell

    May 2, 2023
  • Configure Windows LAPS (Local Administrator Passwords Solution) in AD

    April 25, 2023

Follow us

  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Get-ADUser: Find Active Directory User Info with PowerShell
  • Configuring Proxy Settings on Windows Using Group Policy Preferences
  • Deploy PowerShell Active Directory Module without Installing RSAT
  • How to Refresh AD Groups Membership without Reboot/Logoff?
  • Managing User Photos in Active Directory Using ThumbnailPhoto Attribute
  • Changing Desktop Background Wallpaper in Windows through GPO
  • Active Directory Dynamic User Groups with PowerShell
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top