How to Reset an Active Directory Password with PowerShell

Chaitanya

Read more posts by this author.

Using the GUI to reset Active Directory (AD) user passwords is fine. But the GUI is not always an efficient tool, especially when resetting multiple user passwords. Luckily, you have an alternative, which is the Set-ADAccountPassword PowerShell cmdlet.

With PowerShell, you can quickly reset AD user passwords and even generate complex random passwords automatically. And if needed, you can also create a script that can reset the AD user passwords in bulk. All of which you will learn in this article.

Let’s dig into the good stuff!

Prerequisites

To follow follow along this hands-on tutorial, make sure you have the following requirements.

  • An Active Directory (AD) domain. This article will be using a domain called HomeLab.Local.
  • A domain-joined Windows PC where you’ll be running commands or code to reset AD user passwords. This tutorial will use a Windows 10 computer.
  • The Remote Server Administration Tools (RSAT) already installed on the Windows PC.
  • Your domain user account must have permission to reset AD user passwords.
  • An AD user account whose password you will be resetting. The examples in this article will target the AD username user03.
  • A code editor, such as Visual Studio Code or Windows PowerShell ISE, which this tutorial will use. Feel free to use any code editor that you’re comfortable with.
  • This tutorial will assume that you have already logged in to the Windows PC and have a Windows PowerShell 5.1 window open.

Using the Set-ADAccountPassword Cmdlet to Reset AD User Passwords

Microsoft conveniently provides the ActiveDirectory PowerShell module as part of the RSAT installation. The ActiveDirectory module, in turn, includes the cmdlets admins use to manage many aspects of the AD. And the Set-AdAccountPassword cmdlet is the main star when you need to reset passwords.

Resetting a User Password

Before you can reset an AD user password, you have to have two required pieces of information ready. The AD user’s identity and the new password to assign. These two values are what you will provide to the Set-AdAccountPassword.

Now that you know which cmdlet to use, and the minimum required values, follow the steps below to reset an AD user’s password.

1. First, create the secure string representation of the new password by running the command below in PowerShell. This command will convert the plain text password into a secure string and save it to a variable.

$NewPwd = ConvertTo-SecureString "[email protected]" -AsPlainText -Force

TIP: Make sure that the new password complies with your organization’s AD password complexity requirements.

2. Next, reset the AD user’s password by running the Set-ADAccountPassword command below. The -Identity parameter accepts the AD user’s ID, while the -NewPassword parameter accepts the secure password object you created in the previous step. Lastly, the -Reset switch instructs the cmdlet to reset the user’s password.

Set-ADAccountPassword -Identity user03 -NewPassword $NewPwd -Reset

The valid AD user identity values that the -Identity parameter accepts are:

Distinguished name (DN)

GUID (objectGUID)

Security identifier (objectSid)

SAM account name (sAMAccountName)

Unless there was an error in the password reset process, the command you executed will not show any output on the screen.

3. Optionally, to force the user to change the password at the next login, run the Set-ADUser command below with -ChangePasswordAtLogon $true parameter.

Set-ADUser -Identity user03 -ChangePasswordAtLogon $true

Resetting a User Password using Alternative Administrator Credentials

Some organizations would require administrators to have two user accounts. One account is a normal user, and another one with administrator privileges. This practice of splitting roles is common from a security standpoint.

If your account falls under this setup, do you have to switch from your normal user to your admin account to reset an AD user’s password? Not necessarily.

Thanks to the -Credential parameter, you can specify your admin credential when running the Set-AdAccountPassword command. Doing so will execute the command in the context of your admin account. Follow the instructions below to do so.

1. First, capture your admin credential using the Get-Credential cmdlet and save it to a variable by running the command below.

$Credential = Get-Credential

2. Enter your admin username and password at the credential request prompt, then click OK.

Capturing your admin credential
Capturing your admin credential

3. Finally, run the commands from the below snippet to reset the AD user’s password.

 # Create the secured password
 $NewPwd = ConvertTo-SecureString "[email protected]" -AsPlainText -Force
 
# Reset the AD user password and specify the admin credential context
 Set-ADAccountPassword -Identity user03 -NewPassword $NewPwd -Credential $Credential

Resetting Multiple User Passwords

So far, you’ve only been resetting single-user passwords using the Set-ADAccountPassword cmdlet. But working with PowerShell allows you to execute bulk operations through scripting. And through scripting, you can reset the password of multiple users in one go.

Before you start typing your script, you first need to define the high-level steps that your scripts will do. Based on what you’ve learned so far in this article, your script should:

  • Read a list of AD user identities from a text file.
  • Generate a random password for each user.
  • Reset each user’s password.
  • Force a password change at the next user log in.
  • Output the user identity and the new password.

With the high-level steps in mind, you can now fire up your code editor and start scripting.

1. First, create the text file with a list of user identities. This file will serve as input for your script. In this example, the text file is C:\Temp\userlist.txt and contains the user IDs below.

 user01
 user02
 user03

2. Next, open your code editor and create a new file called reset-password.ps1. Place this file in any folder that you want. In this example, the script will be in C:\Temp.

3. Once you’ve created the reset-password.ps1 script, copy the code below, paste it into your code editor, and save the script.

# Import ActiveDirectory module
 Import-module ActiveDirectory
# Grab list of users from a text file.
 $ListOfUsers = Get-Content C:\Temp\userlist.txt
 foreach ($user in $ListOfUsers) {
     #Generate a 15-character random password.
     $Password = -join ((33..126) | Get-Random -Count 15 | ForEach-Object { [char]$_ })
     #Convert the password to secure string.
     $NewPwd = ConvertTo-SecureString $Password -AsPlainText -Force
     #Assign the new password to the user.
     Set-ADAccountPassword $user -NewPassword $NewPwd -Reset
     #Force user to change password at next logon.
     Set-ADUser -Identity $user -ChangePasswordAtLogon $true
     #Display userid and new password on the console.
     Write-Host $user, $Password
 }

4. Finally, run the script by executing its full path in PowerShell as you can see below.

C:\Temp\reset-password.ps1

As a result, the image below shows each user with their corresponding new password. You can now copy these passwords and provide them to their respective users.

Resetting multiple passwords
Resetting multiple passwords

Using ADSI to Reset AD User Passwords

Did you know, you can also reset an AD user password by using the Active Directory Service Interface (ADSI) in PowerShell? Using ADSI to reset passwords is especially useful in systems where the RSAT is not available and works with older PowerShell versions and any version of Active Directory.

Follow the steps below to reset an AD user password using ADSI in PowerShell.

The following steps assumes that you’re using a computer without the RSAT feature.

1. Find the distinguished name of the AD user. In this example, the user03 user’s distinguished name is LDAP://CN=user03,CN=Users,DC=HomeLab,DC=Local.

2. Create an ADSI object containing the AD user by running the code below.

$userid = [ADSI]"LDAP://CN=user03,CN=Users,DC=HomeLab,DC=Local"

Note: The LDAP part of the distinguished name should always be in uppercase. If you use lower case letters, the password reset will not work.

Now, set the AD user’s password by running the command below. This command invokes the ADSI object’s SetPassword method. $userid.psbase.invoke("SetPassword",'[email protected]')

After setting the AD user’s new password, run the command below to invoke the ADSI object’s CommitChanges() method. This method will finalize the change to the user’s password. $userid.psbase.CommitChanges()

Conclusion

This article aims to teach you a better alternative to resetting AD user passwords. You’ve learned different ways to reset AD user passwords using PowerShell using the Set-ADAccountPassword cmdlet and ADSI.

With the knowledge you now have, would you still go back to painstakingly resetting passwords using the GUI? Or will you take a step further and develop a reusable AD password function?

Subscribe to Stay in Touch

Never miss out on your favorite ATA posts and our latest announcements!

Looks like you're offline!