How to Change a User's Active Directory Password with PowerShell

How to Change a User's Active Directory Password with PowerShell

  • Comments 13
  • Likes

Summary: The Scripting Guys discuss using Windows PowerShell to change a user's Active Directory password in this how-to article.

 

Hey, Scripting Guy! QuestionHey, Scripting Guy! I need to be able to change a user’s password by using Windows PowerShell. In the VBScript days, I had a script that I had essentially copied from the How Can I Change a User’s Password? Scripting Guy post. The problem is that when I attempt something like that using Windows PowerShell, it fails. This is a real problem because we have many calls to the help desk from users who for whatever reason are forgetting their passwords. This has gotten worse since we began to enforce password complexity and shortened the amount of time between password changes. We need to implement a self-serve password solution, but those things are expensive.

-- SD

 

Hey, Scripting Guy! Answer Hello SD,

Microsoft Scripting Guy Ed Wilson here. It is almost inevitable that when a group of network administrators get together, their stories soon involve clueless users. There may be many reasons for this, but I think one of the main causes is simply the proliferation of computers and the way in which they have touched nearly every aspect of life. Because a user has a computer at home, they tend to think they know all about computers at work. I mean, welders do not get evening phone calls from their co-workers who are trying to weld aluminum with a 3/32 7018 rod and are experiencing predictably poor results, do they?

Yet, I cannot count the number of times when I was a network administrator and I received phone calls at night and on weekends from co-workers who were attempting to perform a similar operation on their home computers. Some user stories have become legendary. The broken retractable “cup holder” on the computer, and the missing “any key” are two such stories that spring to mind. More pedestrian user stories nearly always surround users and passwords. I could spend nearly a week writing such stories from my own experience, but by the end of the week, you would either be bored or in tears. Neither is the desired reader experience for this blog.

SD, luckily the little critter whose picture I took in Chattanooga, TN, is not actually a network user. But he does appear to be ready for winter.

Photo Ed took of gravitationally challenged squirrel

To change a user’s password using Windows PowerShell, you can use the [adsi] type accelerator. To do this, make a connection to the user object by passing the entire distinguished name of the user. This line of the code is shown here (keep in mind that LDAP is all capital letters, and does not refer to a police department in southern California):

$oUser = [adsi]"LDAP://$user"

Next, call the invoke method from the psbase object, and invoke the setpassword method while passing the password. Then you must commit the changes. This is shown here:

$ouser.psbase.invoke("SetPassword",$pwd)
$ouser.psbase.CommitChanges()

The Set-AdUserPwd.ps1 script is seen here.

Set-AdUserPwd.ps1

Function Set-AdUserPwd
{
Param(
[string]$user,
[string]$pwd
) #end param
$oUser = [adsi]"LDAP://$user"
$ouser.psbase.invoke("SetPassword",$pwd)
$ouser.psbase.CommitChanges()
} # end function Set-AdUserPwd
Set-AdUserPwd -user "cn=bob,ou=HSG_TestOU,dc=nwtraders,dc=com" -pwd P@ssword1

The Set-AdUserPwd.ps1 script runs on both Windows PowerShell 2.0 and Windows PowerShell 1.0. It will work on any version of AD. A much better approach, however, is available when using the Active Directory Domain Services (AD DS) cmdlets from Windows Server 2008 R2; there is the Set-ADAccountPassword Windows PowerShell cmdlet. Changing a user’s password does not require you to write a script; you can do it directly in the Windows PowerShell console. As a nice security advantage, the password is masked on the console line and encrypted on the wire.

For a good introduction to using the Active Directory Domain Services Windows 2008 R2 cmdlets, see the What’s Up with Active Directory Domain Services Cmdlets.

The first thing that must be accomplished is to import the Active Directory module. It is possible to add this command to your Windows PowerShell profile, and it might even make sense if you routinely work with AD. A recent series of Hey, Scripting Guy! Blog posts talks about the Windows PowerShell profile, and will assist you in deciding what to add and what to leave out. The Import-Module cmdlet is used to import the AD module.

Import-Module ac*

After the AD module has been imported, the Set-ADAccountPassword cmdlet can be used to reset the password. You do not have to use the complete distinguished name for the user. To reset the password use the –reset switch. Interestingly enough, even though the help files state that not including the old password with the new one will force the user to change the password on logon, in my testing this was not the case. In addition, if you leave out the new password parameter, the cmdlet prompts for it. The basic command is shown here:

Set-ADAccountPassword -Identity bob -Reset

The output from the Set-ADAccountPassword command is shown here.

Image of output from Set-ADAccountPassword command

If you need to change a local user password, you may want to use the Set Local User Password script I wrote for the Windows 7 Resource Kit. I have posted it on the Scripting Guys Script Repository because it is too long to show here.

SD, that is all there is to changing a user’s Active Directory password via Windows PowerShell. User Management Week will continue tomorrow when we will talk about retrieving the members of a group in Active Directory in alphabetical order.

We invite you follow us on Twitter and Facebook. If you have any questions, send email to us at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

 

Ed Wilson and Craig Liebendorfer, Scripting Guys

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • I encountered a problem a while ago with setting the password with PowerShell (and found the method using PSBase to work), see www.remkoweijnen.nl/.../powershell-2-0-changing-password-through-adsi-problem

    Can you explain why the Password property and the SetPassword method do not work as expected?

  • Wow, so much easier in R2.  Would also be great to see how to do this in bulk.

  • You should note that the AD module only works with domain controllers running AD Web Services (2k8 R2) or the AD Managment Gateway (2k3 SP2, 2k3 R2, 2k8 SP2).

  • I have a script that will allow me to change a local account's password on multiple machines (provided the same account exists on all of the machines).

    If I wanted to the local password of a machine not on the same domain, how would you do that?

    Thoughts:

    PowerShell offers a nifty Get-Credentials, but I would know where to pass that in.

    Invoke-command?

  • Jeff - YOu cannot use this script to cahnge local account passwords.

    Your question is about things other than AD.  Try posting in the TSGF forum a good answer to your on-off question:

    social.technet.microsoft.com/.../ITCG

  • I would be interested in seeing how to apply this to many users at once.

  • Good.

  • module "ac*" was not load because no valid module file was found in any module directory

    how could i fixed this error???

  • @Shadin - you need to have added the RSAT (Remote Server Admin Tools) to your computer - get them from Microsoft, for the OS you need - they vary in install files.

    Once RSAT is installed, you need to activate them in Programs and Features, Turn Windows Features on and off.  Basically, select the RSAT checkbox, and click OK.  At that point, you will be able to import-module ac* with no problems.

  • Thanks scripting guy. Hilarious and helpful at the same time.

  • Sorry for being a rookie... I understand scripting however some of the conventions I am unfamiliar with. Here is what I think I understand -- please clarify:

    $oUser ~this is a declared variable?
    $User ~ this is a declared variable that refers to a column in a CSV file?

  • I found good information to change a User's Active Directory Password with power-shell script . This article explain to change AD password with script and set local user password but i already tried this AD self service password reset tool ( www.selfservicepasswordreset.org ) to do this task. Thanks

  • thanks