How to Create, Change and Test Passwords Using PowerShell

Automation is the key to streamlining Active Directory management tasks. In this article, I’ll show you how to create, change and test user passwords with PowerShell scripts.

Installing the AD PowerShell module

Before you can use PowerShell to manage Active Directory, you need to install the Active Directory PowerShell module. If you are using Windows 10 to manage AD, first install the Remote Server Administration Tools (RSAT).

Windows 10 Version 1809

If you are using Windows 10 version 1809, RSAT is included as a Feature On Demand, so you don’t need to download the RSAT package. To enable RSAT in Windows 10 version 1809, run the following command in an elevated PowerShell console:

Add-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0

Earlier Versions of Windows 10

If you are using an earlier version of Windows 10, download the appropriate RSAT package from Microsoft’s website:

  • If you are managing Windows Server version 1803 or 1709, download and install the WS_1803 package.
  • If you are managing Windows Server 2016 or earlier versions of Windows Server, download and install the WS2016 package.

Once RSAT is installed, start the PowerShell console as a local administrator and enable the AD PowerShell module using this PowerShell command:

Enable-WindowsOptionalFeature -Online -FeatureName RSATClient-Roles-AD-Powershell

Create credential with password using PowerShell

To create a new user account, use the New-ADUser cmdlet. In the example below, I have hardcoded the ad.contoso.com domain in the $UPN variable. You should change this to match the UPN suffix you want to assign to users.

Provide the user’s first name and last name. The UPN and SamAccountName will then be created by adding a period between the first and last name. Use the following PowerShell script:

$GivenName = (Read-Host -Prompt "First Name")
$Surname = (Read-Host -Prompt "Last Name")
$User = $GivenName+"."+$Surname
$UPN = $User+"@ad.contoso.com"
$Password = (Read-Host -Prompt "Password" -AsSecureString)
New-ADUser -Name $User -SamAccountName $User -UserPrincipalName $UPN -AccountPassword $Password -GivenName $GivenName -Surname $Surname -Enabled $True

Create new AD user password using PowerShell

The following code will prompt you to specify a username and password. You must enter a username that already exists in AD and a password that meets the domain’s password complexity requirements.

$User = (Read-Host -Prompt "Username")
$NewPassword = (Read-Host -Prompt "New Password" -AsSecureString)
Set-ADAccountPassword -Identity $User -NewPassword $NewPassword -Reset

Change password using PowerShell

  • Change a local user’s password

To change a local user’s password, you need to use the Get-LocalUser and Set-LocalUser cmdlets:

$Password = (Read-Host -Prompt "New Password" -AsSecureString)
$User = (Read-Host -Prompt "Username")
$UserAccount = Get-LocalUser -Name $User
$UserAccount | Set-LocalUser -Password $Password
  • Change an AD user’s password

To create a new AD user password using PowerShell, use the following script. You will be prompted to specify the username of an existing AD account and then a new password, which must meet the domain’s password complexity requirements.

$User = (Read-Host -Prompt "Username")
$NewPassword = (Read-Host -Prompt "New Password" -AsSecureString)
Set-ADAccountPassword -Identity $User -NewPassword $NewPassword -Reset
  • Force a user to change their password at next logon

The Set-LocalUser cmdlet doesn’t support setting a local user account to force a password change at next logon. However, you can achieve the same goal by forcing the password to expire:

$User = (Read-Host -Prompt "Username")
$Usrstring = "WinNT://localhost/"+$User  
$usr=[ADSI] $Usrstring  
$usr.passwordExpired = 1  
$usr.setinfo()

But you can force users to change their AD account passwords using Set-ADAccountPassword:

$User = (Read-Host -Prompt "Username")
Set-Aduser -Identity $User -ChangePasswordAtLogon $true
  • Change an administrator password

To change the AD administrator password, type administrator when you are prompted for a username using the code below:

$User = (Read-Host -Prompt "Username")
$NewPassword = (Read-Host -Prompt "New Password" -AsSecureString)
Set-ADAccountPassword -Identity $User -NewPassword $NewPassword -Reset

To change a local administrator password, type administrator when prompted for a username:

$Password = (Read-Host -Prompt "New Password" -AsSecureString)
$User = (Read-Host -Prompt "Username")
$UserAccount = Get-LocalUser -Name $User
$UserAccount | Set-LocalUser -Password $Password
  • Change the “password never expires” attribute

To set the “password never expires” attribute on a local user account, use Set-LocalUser:

$User = (Read-Host -Prompt "Username")
Set-LocalUser -Name $User -PasswordNeverExpires $true

To set the “password never expires” attribute on an Active Directory user account, use Set-ADUser:

$User = (Read-Host -Prompt "Username")
Set-ADUser -Identity $User -PasswordNeverExpires $true
  • Change the service account password

To change the logon properties of a service, use the Get-Credential and Set-Service cmdlets. The following code changes the AppReadiness service from using the Local System account to using the username and password that are entered when prompted. Note that the Set-Service -Credential parameter is supported only in PowerShell 6 and later.

$credential = Get-Credential
Set-Service -Name "AppReadiness" -Credential $credential
  • Change a password’s expiration date in Active Directory

If you need to extend the time a user can keep their current password, set the pwsLastSet attribute to the current date, giving them extra time until Active Directory forces them to change their password. Clearing the attribute and then setting it to -1 will set it to the current date and time.

$Username = (Read-Host -Prompt "Username")
$User = Get-ADUser $Username -Properties pwdlastset
$User.pwdlastset = 0
Set-ADUser -Instance $User
$User.pwdlastset = -1
Set-ADUser -Instance $User
  • Bulk password reset

The best way to get users to change their AD passwords is to force a password reset. You can do this in bulk by combining the Get-ADUser and Set-ADUser cmdlets. The command below uses a filter to get users in the “Accounts” organizational unit (OU) and pipes the results to the Set-ADUser cmdlet to force all users in the OU to change their password at next logon.

Get-ADUser -Filter * -SearchScope Subtree -SearchBase "OU=Accounts,DC=ad,DC=contoso,DC=com" | 
Set-ADUser -ChangePasswordAtLogon $true

Testing a user’s credentials

If you want to test if a user’s credentials are working, all you need to do is start a process using their username and password. The code below starts cmd.exe using the credentials entered when prompted.

Start-Process -FilePath cmd.exe /c -Credential (Get-Credential)