Learn about Windows PowerShell
Hey, Scripting Guy! How can I change a user’s password using a script?-- GO
Hey, GO. You didn’t indicate whether you wanted to change the password for a local user or for an Active Directory user. But that’s OK: the processes are so similar we’ll go ahead and show you how to do both. It’s like getting two Hey, Scripting Guy! columns for the price of one.
Regardless of whether you want to change a local user password or an Active Directory user password you need to go through a two-step process. First you bind to the user account in question, and then you use ADSI’s SetPassword method to assign the user a new password. That’s it: two steps and you’re done.
To prove it, let’s start by changing the password for a local user. In the following script, we bind to the kenmyer user account on the computer atl-ws-01 and assign Ken the password i5a2sj*!:
Set objUser = GetObject("WinNT://atl-ws-01/kenmyer")
That’s the whole script right there: bind to the user account, call the SetPassword method, passing SetPassword the user’s new password. The only thing to watch out for is the way you format the provider name. It has to be WinNT, with the W and the NT in uppercase letters. Write that out in any other way - for example, winnt - and the script will fail. This is one of the very rare times in which case-sensitivity is important in VBScript. Other than that, there’s nothing to it.
Of course, you might be thinking, “Yeah, they start out with a local user script because local user accounts are so simple compared to Active Directory user accounts. Just wait until they try to change the password for an Active Directory user account.” Well, the waiting is over; here’s a script that changes the password for the kenmyer user account in the domain fabrikam.com:
Set objUser = GetObject("LDAP://cn=KenMyer,ou=Finance,dc=fabrikam,dc=com")
That’s right: it’s remarkably similar to the script for changing a local user password. The only difference is that we use the LDAP provider to bind to the user account (the LDAP provider is used when working with Active Directory and the WinNT provider is used when working with local accounts and Windows NT 4.0 domains). And, of course, the path to the actual account will vary depending on whether the account is stored locally or in Active Directory. But other than that the two scripts are identical.
We should mention that you can change any user account with these scripts, including the local Administrator account. Just replace kenmyer with Administrator:
Set objUser = GetObject("WinNT://atl-ws-01/Administrator")
In fact, as long as we’re at it, let’s give you three columns for the price of one. A question we get asked all the time is this: How do I change the local Administrator password for all the computers in an OU? Well, here’s your answer:
Set objOU = GetObject("LDAP://OU=Finance, DC=fabrikam, DC=com")
objOU.Filter = Array("Computer")
For Each objItem in objOU
strComputer = objItem.CN
Set objUser = GetObject("WinNT://" & strComputer & "/Administrator")
So what are we doing in this script? Well, we’re binding to the Finance OU in fabrikam.com. We’re then applying a filter to the collection we get back to make sure that we’re dealing only with computer accounts. After we’ve applied the filter, we loop through the collection of computer accounts. We grab the CN (essentially the NetBIOS name) for the first computer and store the name in the variable strComputer. We then connect to the Administrator account on that machine and change the password. The script loops around and repeats the process for the second computer in the collection, and then continues looping around and changing passwords until it’s hit every computer in the OU.
We know. But we won’t tell your boss how easy this is. Let him or her think you’re a real genius when you tell them you’ve discovered a way to automatically change all the local Administrator passwords on all the computers in an OU. The fact that it really takes just a few simple lines of code will be our little secret. (Trust us: we’ve never told our bosses how easy this is, either!)
I'm new to vb scripting and somewhat understand what you've done here with resettinga particular password. More specifically, I would like to create a link on the campus Intranet that will allow students to have their passwords reset (in A.D.)to a 'default' password without having to come by my office to have it reset. Is this possible?
I'm haven't done a lot of scripting but I have a need to set up a script to change passwords in AD. How would the script would for sub OU's
So if an OU is under Domain.com\Sacto\Sacto2\Platform\Desktop Support
How does this fit into the script. I tried setting the OU=Desktop Support,dc=Domain,dc=com
And I get an error when running the VBS script line 1, char 1, there is no such object on the server. Error Code=80072030
I'm assuming it has to do with the OU being buried deeper? Your help would be appreciated.
Thought i'd leave a comment after seeing your post whilst browsing to try and get my head round something I'm trying to do at the moment. The DN you're looking for given that structure would be:-
That should do the trick if you havn't resolved it already.
Just keep adding dc=(name of the OU) for ou's. always remember that in AD you work in reverse order on the AD tree. ie:
dc=Desktop Support, dc=platform, dc=Sacto2, dc=Sacto dc=domain dc=com
Hope this helps.
On a windows 2003 system I had to remove spaces for this to work as follows:
Set objUser = GetObject("WinNT://"&strComputer&"/Administrator")
hi Scripting Guy,
the script of change the local Administrator password for all the computers in an OU ... this where i should run ? on the DC itself ? or on the local workstation ,,, as when test on local workstation it gives error that domain canot be contacted and when try to run on the DC nothing is happend so please advice and thanks for your help
How would you do the on a non AD Computer ran from a local user account w/admin rights. I'm just looking for a quick script to change the password of user "user" or user "Administrator" on non networked.
Set objUser = GetObject("WinNT://?currentcomputer?/Administrator")
Iam new to jqgrid. I need to convert password in to md5. Please help me.
Thanks in advance
I was trying this script for windows 7 and i got the message access denied (Local account on a workgroup)
On Windows Vista, and Windows 7 you must run the script with administrator rights. To do this, you will need to start an elevated cmd prompt. Once you have done that, the command is cscript yourscriptname.vbs
Now do it in powershell
i have the below vb script with help of that i can reseat my Administrator pwd, but i am unable to reset for other users, like i have created test user with admin rights for that i am unable to do so
the script is
strComputer = "."
Set objUser = GetObject("WinNT://" & strComputer & "/temp, user")
msgbox "Local Admin password changed successfully"