Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / PowerShell / Generating Strong Random Password with PowerShell

January 31, 2020 Active DirectoryPowerShell

Generating Strong Random Password with PowerShell

When creating new user accounts in Active Directory, an administrator sets a unique initial password for each account and tells it to a user (usually at the first logon a user is prompted to change this password by the option “User must change password at next logon” of the AD userAccountControl attribute). If you do not want to invent a new random password for each user or you are using a PowerShell script to create AD accounts, you can generate unique passwords automatically using a simple PowerShell script.

To generate a password, you can use the GeneratePassword method from the System.Web.Security.Membership class of .NET. Let’s generate a strong random password using the following PowerShell commands:

# Import System.Web assembly
Add-Type -AssemblyName System.Web
# Generate random password
[System.Web.Security.Membership]::GeneratePassword(8,2)

powershell GeneratePassword using the System.Web.Security class

The GeneratePassword method allows to generate a password up to 128 characters. The method uses two initial parameters: the password length (8 characters in my case) and the minimum number of non-alphabetical or non-numerical special characters, like !, -, $, &, @, #, %, etc(2 special characters). As you can see, according to these arguments the following password has been generated for me: QX.9ogy:

It is not recommended to use more than one or two special characters in a user password, otherwise a user won’t be able to type it without mistakes (like k};E^]$|).

Thus, if you create new users with the New-ADUser PowerShell cmdlet and want to set unique passwords for them, use the following commands:

Add-Type -AssemblyName System.Web
New-ADUser -Name "Jeremy Irons" -GivenName "Jeremy" -Surname "Irons" -SamAccountName "jirons" -UserPrincipalName "jirons@woshub.com" -Path "OU=Users,OU=Glasgow,OU=UK,DC=woshub,DC=com" –AccountPassword ([System.Web.Security.Membership]::GeneratePassword(8,2)) -ChangePasswordAtLogon $true -Enabled $true

Also, you can use the GeneratePassword method to reset Active Directory user passwords.

If your company is using a strong password policy, in some cases a password generated with the GeneratePassword method may not meet the requirements of your AD domain password policy. Prior to setting a password to a user, you can make sure that it complies with the password complexity policy. Of course, it does not make sense to check its length and the presence of username in a password. You may check if the password meets at least 3 requirements of the “Password must meet complexity requirements” policy (the password must contain at least 3 types of characters from the following list: numbers, lower-case characters, UPPER-case characters, and special characters). If the password check failed, you would have to re-generate it.

I have written a small PowerShell script that generates a new random password and checks if it meets the password complexity requirement:

Function GenerateStrongPassword ([Parameter(Mandatory=$true)][int]$PasswordLenght)
{
Add-Type -AssemblyName System.Web
$PassComplexCheck = $false
do {
$newPassword=[System.Web.Security.Membership]::GeneratePassword($PasswordLenght,1)
If ( ($newPassword -cmatch "[A-Z\p{Lu}\s]") `
-and ($newPassword -cmatch "[a-z\p{Ll}\s]") `
-and ($newPassword -match "[\d]") `
-and ($newPassword -match "[^\w]")
)
{
$PassComplexCheck=$True
}
} While ($PassComplexCheck -eq $false)
return $newPassword
}

To generate a password having 5 characters and at least one special character, run this command:

GenerateStrongPassword (5)

powershell function GenerateStrongPassword and check it comliance with the domain password policy

This script will always create a password that meets your AD password complexity policy.

1 comment
3
Facebook Twitter Google + Pinterest
previous post
Reactivating Windows 10 After a Hardware Upgrade or Reinstall
next post
Fixing Volume Shadow Copy (VSS) Error with Event ID 8193

Related Reading

Using Previous Command History in PowerShell Console

January 31, 2023

How to Install the PowerShell Active Directory Module...

January 31, 2023

Finding Duplicate E-mail (SMTP) Addresses in Exchange

January 27, 2023

How to Disable or Uninstall Internet Explorer (IE)...

January 26, 2023

How to Delete Old User Profiles in Windows?

January 25, 2023

1 comment

Gyz August 13, 2016 - 9:32 pm

Didn’t know of this simple method, thanks for sharing. I turned your script into an easy foolproof function 😉
function Get-Password
{
  [CmdletBinding()]
  param
  (
    [Parameter(Mandatory=$false)]
    [int]
    $Length = (Read-Host ‘Password length (1 – 128)’),
    
    [Parameter(Mandatory=$false)]
    [int]
    $NonAlphabeticChars = (Read-Host ‘The number of Non-alphabetic characters’)
  )
  try
  {
  
  Add-Type -AssemblyName System.Web
  [System.Web.Security.Membership]::GeneratePassword($Length,$NonAlphabeticChars)
  }
  catch [System.ArgumentException]
  {
    # retrieve information about runtime error
    $info = [PSCustomObject]@{
      Exception = $_.Exception.Message
      Reason    = $_.CategoryInfo.Reason
      Target    = $_.CategoryInfo.TargetName
      Script    = $_.InvocationInfo.ScriptName
      Line      = $_.InvocationInfo.ScriptLineNumber
      Column    = $_.InvocationInfo.OffsetInLine
    }  
    # output information. Post-process collected info, and log info (optional)
    $info
  }
}

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Using Previous Command History in PowerShell Console

    January 31, 2023
  • How to Install the PowerShell Active Directory Module and Manage AD?

    January 31, 2023
  • Finding Duplicate E-mail (SMTP) Addresses in Exchange

    January 27, 2023
  • How to Delete Old User Profiles in Windows?

    January 25, 2023
  • How to Install Free VMware Hypervisor (ESXi)?

    January 24, 2023
  • How to Enable TLS 1.2 on Windows?

    January 18, 2023
  • Allow or Prevent Non-Admin Users from Reboot/Shutdown Windows

    January 17, 2023
  • Fix: Can’t Extend Volume in Windows

    January 12, 2023
  • Wi-Fi (Internet) Disconnects After Sleep or Hibernation on Windows 10/11

    January 11, 2023
  • Adding Trusted Root Certificates on Linux

    January 9, 2023

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Get-ADUser: Find Active Directory User Info with PowerShell
  • Allow RDP Access to Domain Controller for Non-admin Users
  • Configuring Proxy Settings on Windows Using Group Policy Preferences
  • Deploy PowerShell Active Directory Module without Installing RSAT
  • How to Refresh AD Groups Membership without Reboot/Logoff?
  • Managing User Photos in Active Directory Using ThumbnailPhoto Attribute
  • Changing Desktop Background Wallpaper in Windows through GPO
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top