logo

Reset Password via Set-ADAccountPassword Poweshell Cmdlet

Users normally update their domain account passwords using the Windows Settings menu. But if they forget their password or their account is disabled, an administrator needs to step in.

This blog post explores several ways that an admin can reset a user’s password or create a new one. First, we review the easiest options: Active Directory Users and Computers (ADUC) and Active Directory Administrative Center (ADAC). But since they both have limitations, we will also discuss how administrators can manage user passwords more effectively using PowerShell or third-party tools

Prerequisite: Checking Password Reset Permissions

In order to reset a user’s password, an administrator needs to have the appropriate permissions. By default, members of the Domain Admins and Account Operators groups are authorized to change passwords for other accounts. Other users and groups can be delegated this right as well.

To check whether a certain administrator can reset the password for a user account, take these steps:

  1. In ACUC, open the properties of the AD user you want to view the permissions for.
  2. Navigate to the Security tab and click Advanced.
  3. Select Effective Access, enter the name of the administrator’s account and see whether it has the Reset password authority.
    Prerequisite: Checking Password Reset Permissions

Resetting Passwords using ADUC and ADAC

Administrators have two GUI-based options for resetting user passwords: Active Directory Users and Computers (ADUC) and Active Directory Administrative Center (ADAC).

Password Reset using ADUC

To reset a user’s password using ADUC, take these steps:

  1. If you know the location of the user in AD whose password you want to change, navigate to it, right-click it, and choose Reset Password.
    Password Reset using ADUC
    If you do not know the location of the user in AD, search for the user by right-clicking the domain and selecting Find:
    Password Reset using ADUC
    Enter the name of the user and click Find Now. Then right-click the name in the search results and choose Reset Password.
    Password Reset using ADUC
  2. In the Reset Password dialog:
    • Enter a new password and confirm it by entering it again.
    • Select the User must change password at next logon check box to force the user to change the password on next login.
    • If the user account was locked by the AD security policy due to multiple login attempts with an incorrect password, you can unlock the account by selecting the Unlock the user’s account check box.
      Password Reset using ADUC
  3. Click OK.

Password Reset using ADAC

The process for resetting passwords using ADAC is quite similar to the one used for ADUC. Here are screenshots for the key steps:

Password Reset using ADAC
Password Reset using ADAC

Resetting Passwords using PowerShell

While ADUC and ADAC provide a simple way to reset a single user password, they aren’t helpful when it comes to changing the passwords for numerous users. For that, admins need PowerShell. PowerShell enables you to quickly reset AD user passwords in bulk and even automatically create complicated random passwords.

Set-ADAccountPassword: Syntax

Let’s start with the Set-ADAccountPassword cmdlet, which sets a password for a user, computer, or service account. The syntax of this cmdlet is as follows:

Set-ADAccountPassword [-WhatIf] [-Confirm] [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-Identity] <ADAccount> [-NewPassword <SecureString>] [-OldPassword <SecureString>] [-Partition <String>] [-PassThru] [-Reset] [-Server <String>] [<CommonParameters>]

Set-ADAccountPassword: Parameters

Here are the key parameters to know about:

ParameterUsed to
AuthTypeSpecify the authentication method to use. Valid values are:
Negotiate or 0 (default)
Basic or 1
ConfirmDisplay a confirmation prompt before running the command.
CredentialsRun the command or script using alternate credentials.
IdentitySpecify the Active Directory object for which the password reset operation is required. Use the following as values:
Distinguished Name
GUID
Security identifier (ObjectSid)
SAM Account name
NewPasswordSpecify the new password.
ServerSpecify the fully qualified domain name (FQDN) of one of the following:
FQDN of the domain
FQDN of the directory server
FQDN with the port number of the domain or directory server One of the following services must be deployed in your environment for this parameter:
Active Directory Domain Services
Active Directory Snapshot Instance
OldPasswordProvide the old password when changing the password.
PartitionSpecify the Active Directory partition you are connected with, if it is not the default partition.
PassThruDisplay details about the user object.
ResetReset the password for an object; the NewPassword parameter must be specified as well.
ServerSpecify the fully qualified domain name (FQDN) of one of the following:
FQDN of the domain
FQDN of the directory server
FQDN with the port number of the domain or directory server
One of the following services must be deployed in your environment for this parameter:
Active Directory Domain Services
Active Directory Snapshot Instance
Active Directory Lightweight Domain Services
WhatIfSee what the output of the cmdlet would be without actually running it.

Now let’s step through some examples of using the Set-ADAccountPassword cmdlet.

Reset an AD User Password

Run the following command to reset the password of a user account. You will be prompted for the new and old password for that account.

Set-ADAccountPassword -Identity AbbeyCrawford

Set-ADAccountPassword -Identity "CN=AbbeyCrawford,OU=VersaCorp,DC=milkyway,DC=local"
Reset an AD User Password

Alternatively, you can first store the password in a variable and then use it in the cmdlet to reset the password:

$Pwd = ConvertTo-SecureString "MyNewPassword@123" -AsPlainText -Force Set-ADAccountPassword -Identity AbbeyWarren -NewPassword $Pwd -Reset

Running these cmdlets will not show any output in the PowerShell console.

To get output, we need to add the -PassThru parameter. Here is an example that uses this parameter as well as a couple of additional ones:

Set-ADAccountPassword abbeywarren -Reset -NewPassword (ConvertTo-SecureString -AsPlainText “NewP@ssw0rd123” -Force -Verbose) –PassThru
Reset an AD User Password

Unlock an Account while Resetting its Password

A user’s account can get locked because they enter the wrong password too many times, as set in the account lockout policy. In that case, the user will see an error like the following:

Unlock an Account while Resetting its Password

An administrator can unlock the account from the user’s “Properties” page in ADUC:

Unlock an Account while Resetting its Password

Alternatively, you can simply unlock the account while resetting its password by using the Unlock-ADAccount parameter with a pipeline:

Set-ADAccountPassword abbeywarren -Reset –NewPassword $PWD –PassThru | Unlock-ADAccount

Force the User to Change Password at Next Logon

To force a user to change their password the next time they log into the domain, you can use the Set-ADUser command:

Set-ADUser -Identity abbeywarren -ChangePasswordAtLogon $true

You can also change the user’s password and force them to change the password at next logon in one command:

Set-ADAccountPassword abbeycrawford -NewPassword $Pwd -Reset -PassThru | Set-ADuser -ChangePasswordAtLogon $True

Running this command will enable the User must change the password at next logon option, as shown below:

Force the User to Change Password at Next Logon

Reset a Password using Alternative Credential

Usually administrators have two accounts: a standard user account and an admin account. To change a user’s password with your privileged account while logged in on your standard account, use the -Credential parameter

First, store your admin credentials in a variable:

$Credentials = Get-Credential

This command prompts you to provide the credentials to be stored:

Reset a Password using Alternative Credential

Then we can use the following variable to store the new password for the user:

$Pwd = ConvertTo-SecureString "MyNewPassword@123" -AsPlainText -Force

Then we use both these variables in Set-ADAccountPassword:

Set-ADAccountPassword -Identity abbeywarren -NewPassword $Pwd -Credential $Credential

Verify Password Reset Results

To verify that a password was successfully reset, use the Get-ADUser command to check the date and time when the password was last changed:

Get-ADUser abbeywarren -Properties * | select name, pass*
Verify Password Reset Results

Reset Passwords for Multiple Users to the Same Value

Sometimes you need to reset user passwords in bulk. For example, suppose you want to set the same password for all users in the Engineering department and require those users to change their passwords the next time they log in. Simply use Get-ADUser with the -Filter parameter to choose users whose “department” value is set to “Engineering” and pipes them into the Set-ADAccountPassword cmdlet:

Get-ADUser -filter "department -eq 'Engineering'" | Set-ADAccountPassword -NewPassword $Pwd -Reset -PassThru | Set-ADuser -ChangePasswordAtLogon $True
Reset Passwords for Multiple Users to the Same Value

We can verify the results by displaying the users’ password properties:

Get-ADUser -filter "department -eq 'Engineering'" -Properties * | select name, pass*
Reset Passwords for Multiple Users to the Same Value

Reset Passwords for Multiple Users to Different Value

Now suppose you have a CSV or Excel file that lists multiple users who need password resets along with the password to be assigned to each user:

Reset Passwords for Multiple Users to Different Value

Run the following PowerShell script to change the password for each user account in the CSV file:

Import-Csv c:\temp\users_new_passwords.csv -Delimiter "," | Foreach {

$NewPassword = ConvertTo-SecureString -AsPlainText $_.NewPassword -Force

Set-ADAccountPassword -Identity $_.sAMAccountName -NewPassword $NewPassword -Reset -PassThru | Set-ADUser -ChangePasswordAtLogon $false

}

Simplifying Password Management with Netwrix GroupID

Netwrix GroupID simplifies password management by providing easy-to-use portals for both business users and helpdesk teams. When any AD object is modified using the portals, an email notification is sent to designated recipients to alert them to the changes.

User Portal

The user portal enables business users to do the following on their own:

  • Change their password
  • Reset their password
  • Unlock their account

Here is the dialog for the user to change their password in Netwrix GroupID:

User Portal

Helpdesk Portal

Using the helpdesk portal, helpdesk users can perform the following operations on behalf of users:

  • Reset a user’s password
  • Unlock a user’s account

Here is the dialog for changing a user’s password:

Helpdesk Porta

Here is the dialog for unlocking a user’s account:

Helpdesk Porta

Helpdesk users can use the Dashboard, History and Live Updates options of the helpdesk portal to monitor user activity on the user portal:

Helpdesk Porta

Get Real-Time Alerts with Netwrix GroupID

See if Netwrix is right for your organization

We care about security of your data.

Privacy Policy

Conclusion

Most IT helpdesk tickets relate to forgotten passwords and locked accounts. While ADUC and ADAC make it easy to reset a single user password, they are ill-suited for more complex tasks. PowerShell fills that gap by enabling administrators to reset passwords in bulk, and much more.

For a powerful tool that simplifies password management for both users and helpdesk teams, check out Netwrix GroupID.

Since 2012, Jonathan Blackwell, an engineer and innovator, has provided engineering leadership that has put Netwrix GroupID at the forefront of group and user management for Active Directory and Azure AD environments. His experience in development, marketing, and sales allows Jonathan to fully understand the Identity market and how buyers think.
Automate Active Directory Groups & User Management