Windows OS Hub
  • Windows
    • Windows 11
    • Windows 10
    • Windows Server 2025
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
    • Proxmox
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows 10
    • Windows Server 2025
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
    • Proxmox
  • PowerShell
  • Linux

 Windows OS Hub / PowerShell / How to Reset an Active Directory User Password

July 3, 2025

How to Reset an Active Directory User Password

Domain users can change their password either via the Windows Security menu after logging in, or directly from the Windows login screen if their password has expired. If a user forgets their password or their account is compromised, a domain administrator or a member of the Account Operators group can reset the password. This article will cover the main tools used to reset an Active Directory user’s password.

Contents:
  • Resetting a User’s Password in Active Directory (GUI)
  • Reset Active Directory User Passwords with PowerShell
  • Bulk User Password Change in AD with PowerShell
  • Change a Domain User’s Password from the Command Line
  • How to Audit Who Reset a Password for an AD User

Resetting a User’s Password in Active Directory (GUI)

The domain user passwords can be reset by using the Active Directory Users and Computers graphical snap-in (ADUC). This is the simplest and most intuitive graphical tool for changing a domain user’s password.

  1. Open the dsa.msc(ADUC) snap-in
  2. Search for the AD user account whose password you want to change.
  3. Right-click on it and select Reset password

reset user password using mmc console active directory users and computers

Enter a new password (twice). Here you can enable two options:

  • User must change password at next logon – if you want users to set new passwords the next time they logon to the domain
  • Unlock user’s account – enable this option if you want to unlock the AD user (use this option if the account has been locked by the AD security policy due to failed login attempts. Learn more about finding the source of a user lockout in Active Directory).

set new user password with aduc console

The date of the last password change can be found in the user properties on the AD attribute editor tab. This value is stored in the pwdLastSet user attribute.

active directory user pwdlastset attribute

To reset a domain user’s password, your account must have the necessary privileges in the Active Directory (AD) domain. By default, non-admin regular AD users cannot reset the passwords of other accounts. These permissions are granted by default only to members of the Domain Admins and Account Operators groups. With Active Directory delegation, you can grant other user groups the right to reset user passwords in specific Organizational Units (OUs). The post at the link explains how to delegate password reset and user unlock permissions to the HelpDesk group.

To verify that your account has permission to reset a specific AD user’s password, open its properties in the ADUC console, go to the Security tab -> Advanced -> Effective Access. Specify the name of your account -> make sure that you have the ‘Reset Password’ permission.

ad permissions to reset user password

Here is a way to reset the domain administrator password in case it is forgotten or lost.  

Reset Active Directory User Passwords with PowerShell

Use the PowerShell command Set-ADAccountPassword to reset a domain user’s password. In order to use this cmdlet, the Active Directory for Windows PowerShell module must be installed on a computer. In desktop Windows versions, this module is part of RSAT. In Windows Server, it is installed as a separate option of AD DS Snap-Ins and Command-Line Tools.

To reset a password for user jliebert and set a new password myP@ssw0rd112, run this command:

Set-ADAccountPassword jliebert -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "myP@ssw0rd112" -Force -Verbose) –PassThru

Set-ADAccountPassword - reset the ad user password from powershell

The GeneratePassword method in PowerShell can be used to generate random, complex passwords for users.

By default, the cmdlet returns the object and displays nothing in the console. Add the -PassThru option to display information about the user object in AD.

You can specify a username as sAMAccountName (as in our case), objectGUID, the user’s SID, or a DN (Distinguished Name, e. g., CN=jliebert,OU=Users,DC=woshub,DC=com).

If you do not specify the -Reset option when changing a user password, you will have to input the old account password first.

Note. The password reset command will return an error if the new password does not meet the complexity and length requirements specified in the domain password policy or fine-grained password policy (PSO).

Set-ADAccountPassword: The password does not meet the length, complexity, or history requirement of the domain.

If you have PowerShell command history enabled and want to avoid displaying passwords as plain text in the console, convert the password into a secure string in the same way as when creating a new user account:

$NewPasswd=Read-Host "Enter a new user password" –AsSecureString

enter password as security string

You can now set a new password for the user:

Set-ADAccountPassword jliebert -Reset –NewPassword $NewPasswd –PassThru

The additional useful commands often used when resetting a password are listed below:

  • Unlock the user account in Active Directory: Unlock-ADAccount –Identity jliebert
  • Require users to change their temporary passwords the next time they logon (this is achieved by enabling the ChangePasswordAtLogon flag in the userAccountControl object attribute): Set-ADuser –Identity jliebert -ChangePasswordAtLogon $True

Use the Get-ADUser cmdlet to verify that the user’s password has been successfully reset and to display the last password change date.

Get-ADUser jliebert -Properties * | select name, pass*

get-aduser last pasword change date

You can use the PowerShell command to find out when a user’s password will expire based on the effective password policy settings.

Get-ADUser -Identity simonecole -Properties msDS-UserPasswordExpiryTimeComputed | select-object @{Name="ExpirationDate";Expression= {[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed") }}

powershell: get ad user password expiration date

You can extend the password expiration date for an Active Directory user as follows.

Bulk User Password Change in AD with PowerShell

Sometimes, an administrator needs to change or reset the passwords of multiple users in a domain at once.

For example, the following command will set the same password for all Sales department employees and require them to change it at logon.

Get-ADuser -filter "department -eq 'Sales Dept' -AND enabled -eq 'True'" | Set-ADAccountPassword -NewPassword $NewPasswd -Reset -PassThru | Set-ADuser -ChangePasswordAtLogon $True

Another password reset scenario can be implemented. Suppose you have a CSV or Excel file containing a list of users whose passwords need to be reset, each with a unique password. The format of the users.csv file is as follows:

sAMAccountName;NewPassword
acidicjustine;Pa$$w0r1
josephomoore;N$isory01
simonecole;k@32d3!2

The following PowerShell script imports from a CSV file a list of users and their new passwords and resets each user’s password.

Import-Csv users.csv -Delimiter ";" | Foreach {
$NewPass = ConvertTo-SecureString -AsPlainText $_.NewPassword -Force
Set-ADAccountPassword -Identity $_.sAMAccountName -NewPassword $NewPass -Reset -PassThru | Set-ADUser -ChangePasswordAtLogon $false
}

Executing this code will set a new, unique password for all Active Directory users in the CSV file.

Change a Domain User’s Password from the Command Line

If you don’t have the ADUC console or the RSAT-AD-PowerShell module installed on a computer, you can reset the domain user password using the net use console command. To get information about a domain user, run the command:

net user jliebert /domain

The command line shows basic information about the user’s password properties in the domain:

Password last set            4/22/2022 2:15:15 AM
Password expires             Never
Password changeable          4/23/2022 2:15:15 AM
Password required            Yes
User may change password     Yes
Last logon                   4/22/2022 2:48:12 AM
Logon hours allowed   All

The “net use” output also includes the date of the last password change and the date the user last logged in to the domain (see how to check a user’s logon history in Active Directory).

net user: get ad domain user password info with cmd

To reset this user’s password, run the command:

net user jliebert /domain *

net user command: reset domain user password

Enter a new password and confirm it:

Type a password for the user: xxxx
Retype the password to confirm: xxxx
The command completed successfully.

How to Audit Who Reset a Password for an AD User

To identify which administrator reset a user’s password, enable auditing of password reset events via domain Group Policy (GPO).

  1. Open the Domain GPO Management Console ( gpmc.msc )
  2. Edit the Default Domain Controller Policy and navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy
  3. Enable the policy Audit User Account Management (Define these policy settings: Success)GPO: enable audit of user password change events in Active Directoryad
  4. After updating the Group Policy settings on the domain controller, the password reset events will be logged in the Event Viewer.
  5. Open the eventvwr.msc console and filter the Security log with the following Event IDs 4724 (the password was reset by the administrator) and 4723 (the user changed their password).
  6. The event description ‘An attempt was made to reset an account’s password’ contains the username for which the password was reset (Target Account), as well as the administrator account that made the change (Subject). Filter DC security log for eventid 4724: password reset
    To store more recent events in the Security log on a domain controller, you need to increase the maximum log size in Event Viewer.

PowerShell can be used to list all password change events from the Event Viewer logs. For example, this script will show the names of the administrator and the users whose passwords were reset.

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4724} | ForEach-Object {
$xml = [xml]$_.ToXml()
$data = $xml.Event.EventData.Data
[PSCustomObject]@{
TimeCreated = $_.TimeCreated
SubjectUser = ($data | Where-Object Name -eq 'SubjectUserName').'#text'
SubjectDomain = ($data | Where-Object Name -eq 'SubjectDomainName').'#text'
TargetUser = ($data | Where-Object Name -eq 'TargetUserName').'#text'
TargetDomain = ($data | Where-Object Name -eq 'TargetDomainName').'#text'
}
} | Select TimeCreated, @{n='Subject';e={"$($_.SubjectDomain)\$($_.SubjectUser)"}}, @{n='Target';e={"$($_.TargetDomain)\$($_.TargetUser)"}}

PowerShell script helps to find out who reset ad password

0 comment
4
Facebook Twitter Google + Pinterest
Active DirectoryPowerShell
previous post
How to Completely Uninstall Previous Versions of Office with Removal Scripts
next post
Updating VMware ESXi Host from the Command Line (ESXCLI)

Related Reading

Wi-Fi (Internet) Disconnects After Sleep or Hibernation on...

March 15, 2024

PowerShell: Get Folder Size on Windows

April 2, 2024

How to Download Offline Installer (APPX/MSIX) for Microsoft...

March 12, 2024

How to Find the Source of Account Lockouts...

March 12, 2024

How to Delete Old User Profiles in Windows

March 15, 2024

Install and Manage Windows Updates with PowerShell (PSWindowsUpdate)

March 17, 2024

How to Backup and Restore Websites and IIS...

June 8, 2023

Slow Access to Shared Folders and Network Drives...

March 11, 2024

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Recent Posts

  • How to Detect Which User Installed or Removed a Program on Windows

    June 23, 2025
  • Encrypt Any Client-Server App Traffic on Windows with Stunnel

    June 12, 2025
  • Failed to Open the Group Policy Object on a Computer

    June 2, 2025
  • Remote Desktop Printing with RD Easy Print Redirection

    June 2, 2025
  • Disable the Lock Screen Widgets in Windows 11

    May 26, 2025
  • Configuring Windows Protected Print Mode (WPP)

    May 19, 2025
  • Map a Network Drive over SSH (SSHFS) in Windows

    May 13, 2025
  • Configure NTP Time Source for Active Directory Domain

    May 6, 2025
  • Cannot Install Network Adapter Drivers on Windows Server

    April 29, 2025
  • Change BIOS from Legacy to UEFI without Reinstalling Windows

    April 21, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Configure Google Chrome Settings with Group Policy
  • Get-ADUser: Find Active Directory User Info with PowerShell
  • Allow Non-admin Users RDP Access to Windows Server
  • How to Find the Source of Account Lockouts in Active Directory
  • How to Disable or Enable USB Drives in Windows using Group Policy
  • Get-ADComputer: Find Computer Properties in Active Directory with PowerShell
  • Configuring Proxy Settings on Windows Using Group Policy Preferences
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top