In this text we’ll take into account how to change (or reset) a customers’ Active Directory passwords utilizing the PowerShell cmdlet Set-ADAccountPassword.
Most directors often change (reset) AD consumer passwords by way of the graphical snap-in dsa.msc (Active Directory Users & Computers). To do it, you have to run the ADUC console, for the consumer account in the AD area, right-click on it and choose Reset password. This is a easy and easy approach to reset the password of the present chosen consumer.
But you received’t find a way to use the ADUC console to reset passwords of a number of customers or use the reset password process as one of many automation script actions. In this case, you possibly can reset AD passwords utilizing the PowerShell command immediate.
- Using Set-ADAccountPassword to Reset User’s Password in Active Directory
- Using PowerShell to Reset Multiple AD User Passwords
Using Set-ADAccountPassword to Reset User’s Password in Active Directory
To reset a consumer password in AD, the Set-ADAccountPassword cmdlet is used, it’s a a part of the Active Directory for Windows PowerShell module (in desktop Windows model it’s a a part of , and in server editions it’s put in as a separate element of AD DS Snap-Ins and Command-Line Tools). Before utilizing AD cmdlets, you have to import it into a PowerShell session:
To reset a consumer password, your account should have the corresponding privileges in the AD area. Of course, by default non-admin AD customers can not reset passwords of different accounts. To permit a consumer or a group of customers to reset passwords of different customers, you have to delegate the permissions to reset the password on the AD container (Organizational Unit) or add an account to the built-in area group Account Operators.
To confirm that your account has the permissions to reset the password of a particular AD consumer, open its properties, go to the Security tab -> Advanced -> Effective Access -> specify the identify of your account -> just be sure you have Reset Password permission.
To reset a password for the consumer jliebert and set a new password [email protected], run this command:
Set-ADAccountPassword jliebert -Reset -NewPassword (ConvertTo-SecureString -AsPlainText “[email protected]” -Force -Verbose) –PassThru
By default, the cmdlet returns the article and shows nothing in the console. To show the details about the consumer object in AD, we use the –PassThru parameter.
You can specify sAMAccountName (as in our case), objectGUID, or a DN (Distinguished Name, e. g., CN=jliebert,OU=Users,DC=woshub,DC=com) as a consumer identify.
If you don’t specify the –Reset parameter when altering a consumer password, you have to manually enter the previous and new account passwords.
Set-ADAccountPassword: The password doesn't meet the size, complexity, or historical past requirement of the area.
It implies that the consumer password has some complexity, size, and so forth. necessities outlined in the or the account is topic to.
If you will have enabled and also you don’t need passwords to be displayed in the PoSh console as plain textual content, you have to convert the password into a safe string (you possibly can learn extra about password safety in PowerShell scripts ) in the identical approach as when :
$NewPasswd=Read-Host "Enter a new consumer password" –AsSecureString
Now reset the password:
Set-ADAccountPassword jliebert -Reset –NewPassword $NewPasswd –PassThru
When resetting a password, you possibly can drive the account unlock, even whether it is locked (on how to discover what pc locks the account, learn the article ):
Unlock-ADAccount –Identity jliebert
In order a consumer to change a password on the subsequent logon to the area, run the next command:
Set-ADUser -Identity jliebert -ChangePasswordAtLogon $true
You can mix the password change command and the requirement to change the password (that is the object attribute) in the PowerShell one-liner:
Set-ADAccountPassword jliebert -NewPassword $NewPasswd -Reset -PassThru | Set-ADuser -ChangePasswordAtLogon $True
Using the cmdlet, you possibly can ensure that the password has been efficiently reset and show the final date of the account password change:
Get-ADUser jliebert -Properties * | choose identify, go*
When resetting the password, the EventID 4724 is registered on the area controller (DC) safety log. This occasion can assist you to examine .
Using PowerShell to Reset Multiple AD User Passwords
Above we now have proven how to reset the password of a single AD consumer from PowerShell console. Let’s take into account one other state of affairs whenever you want to change the passwords of a number of customers directly.
The best case is when you will have to reset passwords of the customers with the identical AD account properties. For instance, you want to change the passwords of all Sales division customers to the identical one and make them change it on the subsequent logon:
get-aduser -filter "division -eq 'Sales Dept' -AND enabled -eq 'True'" | Set-ADAccountPassword -NewPassword $NewPasswd -Reset -PassThru | Set-ADuser -ChangePasswordAtLogon $True
Let’s take into account one other case. Suppose, you will have a CSV / Excel file that incorporates a record of customers you need to reset passwords of and set a distinctive password for each consumer. Here is the format of the customers.csv file:
Using this PowerShell script, you possibly can reset a password of every account in the desired csv file:
Import-Csv customers.csv -Delimiter ";" | Foreach Set-ADUser -ChangePasswordAtLogon $false
After this code is executed, a new distinctive password will probably be set for all AD customers in the file.