In this article we’ll consider how to change (or reset) a users’ Active Directory passwords using the PowerShell cmdlet Set-ADAccountPassword.
Most administrators usually change (reset) AD user passwords through the graphical snap-in dsa.msc (Active Directory Users & Computers). To do it, you must run the ADUC console, search for the user account in the AD domain, right-click on it and select Reset password. This is a simple and straightforward way to reset the password of the current selected user.
But you won’t be able to use the ADUC console to reset passwords of multiple users or use the reset password procedure as one of the automation script actions. In this case, you can reset AD passwords using the PowerShell command prompt.
Using Set-ADAccountPassword to Reset User’s Password in Active Directory
To reset a user password in AD, the Set-ADAccountPassword cmdlet is used, it is a part of the Active Directory for Windows PowerShell module (in desktop Windows version it is a part of RSAT, and in server editions it is installed as a separate component of AD DS Snap-Ins and Command-Line Tools). Before using AD cmdlets, you must import it into a PowerShell session:
Import-module ActiveDirectory
To reset a user password, your account must have the corresponding privileges in the AD domain. Of course, by default non-admin AD users cannot reset passwords of other accounts. To allow a user or a group of users to reset passwords of other users, you must delegate the permissions to reset the password on the AD container (Organizational Unit) or add an account to the built-in domain group Account Operators.
To verify that your account has the permissions to reset the password of a specific AD user, open its properties, go to the Security tab -> Advanced -> Effective Access -> specify the name of your account -> make sure that you have Reset Password permission.
To reset a password for the user enduser and set a new password myP@ssw0rd112, run this command:
Set-ADAccountPassword enduser -Reset -NewPassword (ConvertTo-SecureString -AsPlainText “myP@ssw0rd112” -Force -Verbose) –PassThru
By default, the cmdlet returns the object and displays nothing in the console. To display the information about the user object in AD, we use the –PassThru parameter.
You can specify sAMAccountName (as in our case), objectGUID, user’s SID or a DN (Distinguished Name, e. g., CN=enduser,OU=Users,DC=contoso,DC=com) as a user name.
If you don’t specify the –Reset parameter when changing a user password, you must manually input the old and new account passwords.
Note. When resetting the password using the Set-ADAccountPassword cmdlet you can see the following error:
Set-ADAccountPassword: The password does not meet the length, complexity, or history requirement of the domain.
It means that the user password has some complexity, length, etc. requirements defined in the domain password policy or fine-grained password policy the account is subject to.
If you have PowerShell command history enabled and you don’t want passwords to be displayed in the PoSh console as plain text, you must convert the password into a secure string in the same way as when creating a new user account:
$NewPasswd=Read-Host "Enter a new user password" –AsSecureString
Now reset the password:
Set-ADAccountPassword enduser -Reset –NewPassword $NewPasswd –PassThru
When resetting a password, you can force the account unlock, even if it is locked:
Unlock-ADAccount –Identity enduser
In order a user to change a password at the next logon to the domain, run the following command:
Set-ADUser -Identity enduser -ChangePasswordAtLogon $true
You can combine the password change command and the requirement to change the password (this is the userAccountControl object attribute) in the PowerShell one-liner:
Set-ADAccountPassword enduser -NewPassword $NewPasswd -Reset -PassThru | Set-ADuser -ChangePasswordAtLogon $True
Using the Get-ADUser cmdlet, you can make sure that the password has been successfully reset and display the last date of the account password change:
Get-ADUser enduser -Properties * | select name, pass*
When resetting the password, the EventID 4724 is registered on the domain controller (DC) security log. This event can help you to check who reset the user password in AD.
Using PowerShell to Reset Multiple AD User Passwords
Above we have shown how to reset the password of a single AD user from PowerShell console. Let’s consider another scenario when you need to change the passwords of multiple users at once.
The easiest case is when you have to reset passwords of the users with the same AD account properties. For example, you need to change the passwords of all Sales department users to the same one and make them change it at the next logon:
get-aduser -filter "department -eq 'Sales Dept' -AND enabled -eq 'True'" | Set-ADAccountPassword -NewPassword $NewPasswd -Reset -PassThru | Set-ADuser -ChangePasswordAtLogon $True
Let’s consider another case. Suppose, you have a CSV / Excel file that contains a list of users you want to reset passwords of and set a unique password for every user. Here is the format of the users.csv file:
sAMAccountName;NewPassword
acidicjustine;Pa$$w0r1
josephomoore;N$isory01
simonecole;k@32d3!2
Using this PowerShell script, you can reset a password of each account in the specified csv file:
Import-Csv users.csv -Delimiter ";" | Foreach {
$NewPass = ConvertTo-SecureString -AsPlainText $_.NewPassword -Force
Set-ADAccountPassword -Identity $_.sAMAccountName -NewPassword $NewPass -Reset -PassThru | Set-ADUser -ChangePasswordAtLogon $false
}
After this code is executed, a new unique password will be set for all AD users in the file.