Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / PowerShell / How to Reset an Active Directory User Password with PowerShell and ADUC

June 8, 2023 Active DirectoryPowerShell

How to Reset an Active Directory User Password with PowerShell and ADUC

In this article, we will look at how to change (reset) the password of one or multiple Active Directory users using the Active Directory Users and Computers graphical snap-in (ADUC), from the command line, or using the Set-ADAccountPassword PowerShell cmdlet.

Contents:
  • Reset User Password with the Active Directory Console (Dsa.msc)
  • How to Reset a User’s Password in Active Directory with PowerShell?
  • How to Change Password for Multiple AD Users with PowerShell?
  • Changing Domain User Passwords from the Command Line

Reset User Password with the Active Directory Console (Dsa.msc)

You can use the dsa.msc (Active Directory Users & Computers – ADUC) graphical snap-in to reset an Active Directory user’s password. Open the ADUC console and search for the user account for which you want to change the password. Right-click on it and select Reset password.

reset user password using mmc console active directory users and computers

Enter a new password (twice). Here you can enable two options:

  • User must change password at next logon – If you want the user to set himself a new password the next time he logs in;
  • Unlock user’s account – enable this option if you want to unlock the user (if the account is locked by the AD security policy due to multiple login attempts with an incorrect password).

set new user password with aduc console

This is the easiest and most intuitive way to reset a domain user’s password.

Also in the user properties on the AD attribute editor tab, you can find information about the date of the last password change. This value is stored in the pwdLastSet user attribute.

active directory user pwdlastset attribute

To reset a user password, your account must have the appropriate privileges in the AD domain. By default, non-admin AD users cannot reset passwords of other accounts, and only members of the built-in Domain Admins and Account Operators groups have these rights.

You can grant other user groups permission to reset user passwords in specific OUs using Active Directory delegation. The link provides an example of delegating the permissions to reset passwords and unlock users to the HelpDesk group.

To check that your account has the permissions to reset the password of a specific AD user, open its properties, go to the Security tab -> Advanced -> Effective Access -> specify the name of your account -> make sure that you have Reset Password permission.

ad permissions to reset user password

How to Reset a User’s Password in Active Directory with PowerShell?

You can use the Set-ADAccountPassword cmdlets to reset an Active Directory user’s password using PowerShell. This cmdlet is a part of the Active Directory for Windows PowerShell module (in the desktop Windows editions it is a part of RSAT). Import this module into your PowerShell session:

Import-module ActiveDirectory

To reset a password for the user jliebert and set a new password myP@ssw0rd112, run this command:

Set-ADAccountPassword jliebert -Reset -NewPassword (ConvertTo-SecureString -AsPlainText “myP@ssw0rd112” -Force -Verbose) –PassThru

Set-ADAccountPassword - reset the ad user password from powershell

To automatically generate complex passwords for users, you can use the GeneratePassword method described in the article Generating Strong Random Passwords with PowerShell.

By default, the cmdlet returns the object and displays nothing in the console. To display the information about the user object in AD, you CAN use the –PassThru parameter.

You can specify sAMAccountName (as in our case), objectGUID, user’s SID, or a DN (Distinguished Name, e. g., CN=jliebert,OU=Users,DC=woshub,DC=com) as a user name.

If you don’t specify the –Reset parameter when changing a user password, you must manually input the old and new account passwords.

Note. If an error occurs when resetting the user password using the Set-ADAccountPassword cmdlet:

Set-ADAccountPassword: The password does not meet the length, complexity, or history requirement of the domain.

This means that the user’s new password has some complexity, length, etc. requirements defined in the domain password policy or fine-grained password policy the account is subject to.

You can get the resulting password policy settings for a domain user as follows:

Get-ADUserResultantPasswordPolicy -Identity jliebert

If you have the PowerShell command history enabled and you don’t want passwords to be displayed in the PoSh console as plain text, you must convert the password into a secure string in the same way as when creating a new user account (you can read more about password protection in PowerShell scripts here):

$NewPasswd=Read-Host "Enter a new user password" –AsSecureString

enter password as security string

You can now set a new password for the user:

Set-ADAccountPassword jliebert -Reset –NewPassword $NewPasswd –PassThru

When resetting a user password, you can force the account to unlock, if it was locked earlier (to find out from which computer the account is locked, read the article How to Find the Source of Account Lockouts in Active Directory?):

Unlock-ADAccount –Identity jliebert

To force a user to change his password the next time he logs in to the domain, run the following command:

Set-ADUser -Identity jliebert -ChangePasswordAtLogon $true

You can combine the password change command and the requirement to change the password (this is the userAccountControl object attribute) with the PowerShell one-liner:

Set-ADAccountPassword jliebert -NewPassword $NewPasswd -Reset -PassThru | Set-ADuser -ChangePasswordAtLogon $True

Using the Get-ADUser cmdlet, you can make sure that the password has been successfully reset and display the last date of the account password change:

Get-ADUser jliebert -Properties * | select name, pass*

get-aduser last pasword change date

When a password is reset, the EventID 4724 is registered on the domain controller (DC) security log. This event can help you identify the account that reset the user’s password.

You can find out when a user’s password expires according to the effective password policy settings using the PowerShell command:

Get-ADUser -Identity simonecole -Properties msDS-UserPasswordExpiryTimeComputed | select-object @{Name="ExpirationDate";Expression= {[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed") }}

How to Change Password for Multiple AD Users with PowerShell?

Above, we showed you how to reset the password of a single AD user using PowerShell. Now let’s look at another scenario where you need to change multiple users’ passwords at once.

For example, you want to reset the password of all employees in the Sales department to the same password and force them to change it the next time they log in. You can use the Get-ADUser –Filter command to select users with a specific value in one of the attributes:

get-aduser -filter "department -eq 'Sales Dept' -AND enabled -eq 'True'" | Set-ADAccountPassword -NewPassword $NewPasswd -Reset -PassThru | Set-ADuser -ChangePasswordAtLogon $True

Let’s look at another example. Suppose, you have a CSV/Excel file that contains a list of users who need to reset their passwords and a unique password for each user. Here is the format of the users.csv file:

sAMAccountName;NewPassword
acidicjustine;Pa$$w0r1
josephomoore;N$isory01
simonecole;k@32d3!2

You can reset a password for each user account in the specified CSV file with the following PowerShell script:

Import-Csv users.csv -Delimiter ";" | Foreach {
$NewPass = ConvertTo-SecureString -AsPlainText $_.NewPassword -Force
Set-ADAccountPassword -Identity $_.sAMAccountName -NewPassword $NewPass -Reset -PassThru | Set-ADUser -ChangePasswordAtLogon $false
}

After this code is executed, a new unique password will be set for all AD users in the file.

Changing Domain User Passwords from the Command Line

If you don’t have the ADUC console or the RSAT-AD-PowerShell module installed on your computer, you can reset the domain user password with the net use console command. To get information about a domain user, run the command:

net user jliebert /domain

The command line shows basic information about the user’s password properties in the domain:

Password last set            4/22/2022 2:15:15 AM
Password expires             Never
Password changeable          4/23/2022 2:15:15 AM
Password required            Yes
User may change password     Yes
Last logon                   4/22/2022 2:48:12 AM
Logon hours allowed   All

net user: get ad domain user password info with cmd

The Last Logon value shows when the user last logged on to the domain. You can get more information about the user’s logon history in Active Directory.

To reset this user’s password, run the command:

net user jliebert /domain *

net user command: reset domain user password

Enter a new password and confirm it:

Type a password for the user: xxxx
Retype the password to confirm: xxxx
The command completed successfully.

0 comment
2
Facebook Twitter Google + Pinterest
previous post
How to Completely Uninstall Previous Versions of Office with Removal Scripts
next post
Fix: You’ll Need a New App to Open This Windows Defender Link

Related Reading

How to Connect VPN Before Windows Logon

November 14, 2023

Using WPAD (Web Proxy Auto-Discovery Protocol) on Windows

November 7, 2023

Send Emails with Microsoft Graph API and PowerShell

November 6, 2023

Zabbix: How to Get Data from PowerShell Scripts

October 27, 2023

Tracking Printer Usage with Windows Event Viewer Logs

October 19, 2023

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • How to Connect VPN Before Windows Logon

    November 14, 2023
  • Removing Azure Arc Setup Feature on Windows Server 2022

    November 9, 2023
  • Using WPAD (Web Proxy Auto-Discovery Protocol) on Windows

    November 7, 2023
  • Send Emails with Microsoft Graph API and PowerShell

    November 6, 2023
  • Zabbix: How to Get Data from PowerShell Scripts

    October 27, 2023
  • Tracking Printer Usage with Windows Event Viewer Logs

    October 19, 2023
  • PowerShell: Configure Certificate-Based Authentication for Exchange Online (Azure)

    October 15, 2023
  • Reset Root Password in VMware ESXi

    October 12, 2023
  • How to Query and Change Teams User Presence Status with PowerShell

    October 8, 2023
  • How to Increase Size of Disk Partition in Ubuntu

    October 5, 2023

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Configure Google Chrome Settings with Group Policy
  • Get-ADUser: Find Active Directory User Info with PowerShell
  • Allow Non-admin Users RDP Access to Windows Server
  • How to Find the Source of Account Lockouts in Active Directory
  • How to Disable or Enable USB Drives in Windows using Group Policy
  • Get-ADComputer: Find Computer Properties in Active Directory with PowerShell
  • Configuring Proxy Settings on Windows Using Group Policy Preferences
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top