Users normally update their domain account passwords using the Windows Settings menu. But if they forget their password or their account is disabled, an administrator needs to step in.
This blog post explores several ways that an admin can reset a user’s password or create a new one. First, we review the easiest options: Active Directory Users and Computers (ADUC) and Active Directory Administrative Center (ADAC). But since they both have limitations, we will also discuss how administrators can manage user passwords more effectively using PowerShell or third-party tools
Prerequisite: Checking Password Reset Permissions
In order to reset a user’s password, an administrator needs to have the appropriate permissions. By default, members of the Domain Admins and Account Operators groups are authorized to change passwords for other accounts. Other users and groups can be delegated this right as well.
To check whether a certain administrator can reset the password for a user account, take these steps:
- In ACUC, open the properties of the AD user you want to view the permissions for.
- Navigate to the Security tab and click Advanced.
- Select Effective Access, enter the name of the administrator’s account and see whether it has the Reset password authority.
Resetting Passwords using ADUC and ADAC
Administrators have two GUI-based options for resetting user passwords: Active Directory Users and Computers (ADUC) and Active Directory Administrative Center (ADAC).
Password Reset using ADUC
To reset a user’s password using ADUC, take these steps:
- If you know the location of the user in AD whose password you want to change, navigate to it, right-click it, and choose Reset Password.
If you do not know the location of the user in AD, search for the user by right-clicking the domain and selecting Find:
Enter the name of the user and click Find Now. Then right-click the name in the search results and choose Reset Password. - In the Reset Password dialog:
- Enter a new password and confirm it by entering it again.
- Select the User must change password at next logon check box to force the user to change the password on next login.
- If the user account was locked by the AD security policy due to multiple login attempts with an incorrect password, you can unlock the account by selecting the Unlock the user’s account check box.
- Click OK.
Password Reset using ADAC
The process for resetting passwords using ADAC is quite similar to the one used for ADUC. Here are screenshots for the key steps:
Resetting Passwords using PowerShell
While ADUC and ADAC provide a simple way to reset a single user password, they aren’t helpful when it comes to changing the passwords for numerous users. For that, admins need PowerShell. PowerShell enables you to quickly reset AD user passwords in bulk and even automatically create complicated random passwords.
Set-ADAccountPassword: Syntax
Let’s start with the Set-ADAccountPassword cmdlet, which sets a password for a user, computer, or service account. The syntax of this cmdlet is as follows:
Set-ADAccountPassword [-WhatIf] [-Confirm] [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-Identity] <ADAccount> [-NewPassword <SecureString>] [-OldPassword <SecureString>] [-Partition <String>] [-PassThru] [-Reset] [-Server <String>] [<CommonParameters>]
Set-ADAccountPassword: Parameters
Here are the key parameters to know about:
Parameter | Used to |
AuthType | Specify the authentication method to use. Valid values are: Negotiate or 0 (default) Basic or 1 |
Confirm | Display a confirmation prompt before running the command. |
Credentials | Run the command or script using alternate credentials. |
Identity | Specify the Active Directory object for which the password reset operation is required. Use the following as values: Distinguished Name GUID Security identifier (ObjectSid) SAM Account name |
NewPassword | Specify the new password. |
Server | Specify the fully qualified domain name (FQDN) of one of the following: FQDN of the domain FQDN of the directory server FQDN with the port number of the domain or directory server One of the following services must be deployed in your environment for this parameter: Active Directory Domain Services Active Directory Snapshot Instance |
OldPassword | Provide the old password when changing the password. |
Partition | Specify the Active Directory partition you are connected with, if it is not the default partition. |
PassThru | Display details about the user object. |
Reset | Reset the password for an object; the NewPassword parameter must be specified as well. |
Server | Specify the fully qualified domain name (FQDN) of one of the following: FQDN of the domain FQDN of the directory server FQDN with the port number of the domain or directory server One of the following services must be deployed in your environment for this parameter: Active Directory Domain Services Active Directory Snapshot Instance Active Directory Lightweight Domain Services |
WhatIf | See what the output of the cmdlet would be without actually running it. |
Now let’s step through some examples of using the Set-ADAccountPassword cmdlet.
Reset an AD User Password
Run the following command to reset the password of a user account. You will be prompted for the new and old password for that account.
Set-ADAccountPassword -Identity AbbeyCrawford
Set-ADAccountPassword -Identity "CN=AbbeyCrawford,OU=VersaCorp,DC=milkyway,DC=local"
Alternatively, you can first store the password in a variable and then use it in the cmdlet to reset the password:
$Pwd = ConvertTo-SecureString "MyNewPassword@123" -AsPlainText -Force Set-ADAccountPassword -Identity AbbeyWarren -NewPassword $Pwd -Reset
Running these cmdlets will not show any output in the PowerShell console.
To get output, we need to add the -PassThru parameter. Here is an example that uses this parameter as well as a couple of additional ones:
Set-ADAccountPassword abbeywarren -Reset -NewPassword (ConvertTo-SecureString -AsPlainText “NewP@ssw0rd123” -Force -Verbose) –PassThru
Unlock an Account while Resetting its Password
A user’s account can get locked because they enter the wrong password too many times, as set in the account lockout policy. In that case, the user will see an error like the following:
An administrator can unlock the account from the user’s “Properties” page in ADUC:
Alternatively, you can simply unlock the account while resetting its password by using the Unlock-ADAccount parameter with a pipeline:
Set-ADAccountPassword abbeywarren -Reset –NewPassword $PWD –PassThru | Unlock-ADAccount
Force the User to Change Password at Next Logon
To force a user to change their password the next time they log into the domain, you can use the Set-ADUser command:
Set-ADUser -Identity abbeywarren -ChangePasswordAtLogon $true
You can also change the user’s password and force them to change the password at next logon in one command:
Set-ADAccountPassword abbeycrawford -NewPassword $Pwd -Reset -PassThru | Set-ADuser -ChangePasswordAtLogon $True
Running this command will enable the User must change the password at next logon option, as shown below:
Reset a Password using Alternative Credential
Usually administrators have two accounts: a standard user account and an admin account. To change a user’s password with your privileged account while logged in on your standard account, use the -Credential parameter
First, store your admin credentials in a variable:
$Credentials = Get-Credential
This command prompts you to provide the credentials to be stored:
Then we can use the following variable to store the new password for the user:
$Pwd = ConvertTo-SecureString "MyNewPassword@123" -AsPlainText -Force
Then we use both these variables in Set-ADAccountPassword:
Set-ADAccountPassword -Identity abbeywarren -NewPassword $Pwd -Credential $Credential
Verify Password Reset Results
To verify that a password was successfully reset, use the Get-ADUser command to check the date and time when the password was last changed:
Get-ADUser abbeywarren -Properties * | select name, pass*
Reset Passwords for Multiple Users to the Same Value
Sometimes you need to reset user passwords in bulk. For example, suppose you want to set the same password for all users in the Engineering department and require those users to change their passwords the next time they log in. Simply use Get-ADUser with the -Filter parameter to choose users whose “department” value is set to “Engineering” and pipes them into the Set-ADAccountPassword cmdlet:
Get-ADUser -filter "department -eq 'Engineering'" | Set-ADAccountPassword -NewPassword $Pwd -Reset -PassThru | Set-ADuser -ChangePasswordAtLogon $True
We can verify the results by displaying the users’ password properties:
Get-ADUser -filter "department -eq 'Engineering'" -Properties * | select name, pass*
Reset Passwords for Multiple Users to Different Value
Now suppose you have a CSV or Excel file that lists multiple users who need password resets along with the password to be assigned to each user:
Run the following PowerShell script to change the password for each user account in the CSV file:
Import-Csv c:\temp\users_new_passwords.csv -Delimiter "," | Foreach {
$NewPassword = ConvertTo-SecureString -AsPlainText $_.NewPassword -Force
Set-ADAccountPassword -Identity $_.sAMAccountName -NewPassword $NewPassword -Reset -PassThru | Set-ADUser -ChangePasswordAtLogon $false
}
Simplifying Password Management with Netwrix GroupID
Netwrix GroupID simplifies password management by providing easy-to-use portals for both business users and helpdesk teams. When any AD object is modified using the portals, an email notification is sent to designated recipients to alert them to the changes.
User Portal
The user portal enables business users to do the following on their own:
- Change their password
- Reset their password
- Unlock their account
Here is the dialog for the user to change their password in Netwrix GroupID:
Helpdesk Portal
Using the helpdesk portal, helpdesk users can perform the following operations on behalf of users:
- Reset a user’s password
- Unlock a user’s account
Here is the dialog for changing a user’s password:
Here is the dialog for unlocking a user’s account:
Helpdesk users can use the Dashboard, History and Live Updates options of the helpdesk portal to monitor user activity on the user portal:
Conclusion
Most IT helpdesk tickets relate to forgotten passwords and locked accounts. While ADUC and ADAC make it easy to reset a single user password, they are ill-suited for more complex tasks. PowerShell fills that gap by enabling administrators to reset passwords in bulk, and much more.
For a powerful tool that simplifies password management for both users and helpdesk teams, check out Netwrix GroupID.