AD PowerShell Password Reset Shortcut for Helpdesk

Introduction

Back in May I released a post on the Hey Scripting Guy blog showing how to create a shortcut to unlock a user account with a PowerShell desktop shortcut.  That post was very popular, and the comments evolved into another shortcut to reset passwords.  Due to the popularity and utility of the idea I decided it deserved its own blog post.  I’ve also learned a little more about the Set-ADAccountPassword cmdlet to simplify my previous code.

Monday Morning on “The Desk”

You know the drill.  It’s Monday morning.  Last Friday 47 users decided it was a good idea to change their password before the weekend.  It’s Monday.  They forgot, just like I would.  Personally I never change my password on a Friday for this reason.  I need a couple days to use it before the weekend.

What could make this worse?  Holiday weekends… like US Thanksgiving.  (grin)  Now it’s been at least five days since I reset that password.  There’s no chance I’ll remember it unless it’s written down on that sticky note under the mouse pad.

Now all 47 of those users must call the helpdesk first thing Monday before they can begin another week of productivity for the company.  The self-service password project has not gotten enough budget or resources for implementation, and until it does every Monday morning is going to look very familiar.  That’s where we come in with PowerShell.

The Options

How many different ways can we reset a password?  Let’s make a quick list:

  1. Active Directory Users and Computers (ADUC) – Despite the several clicks involved this is the first choice for many folks.  It’s been working for 12 years now.  Why change now?
  2. Active Directory Administrative Center (ADAC) – This is the new AD-GUI-with-PowerShell-under-the-covers version of ADUC, and it puts password resets on the front page for easy access.  Give this one a try.  It’s free with your Windows Server 2008 R2 (or 2012) RSAT.  This is slightly faster.
  3. DSMOD – Yeah.  It’s an option, but you need to type the distinguished name for the user.  Cool, but just not practical.
  4. That in-house identity app written seven years ago by a special project team in InfoSec.  Um.  Yeah.  Way too many clicks.
  5. PowerShell.  Wait… can you click in PowerShell?  Kind of. It’s going to be a single double-click.  Much faster.
  6. Etc.

Bring The ‘Shell To The ‘Desk

Attached at the bottom of this post you’ll find a simple text file with these lines (note that these one-liners have been wrapped for display purposes):

 : 100 characters
: Reset Password
@echo off&&powershell -NoE -C "&{ipmo ActiveDirectory;
Set-ADAccountPassword (Read-Host 'User') -R}"

: 123 characters
: Reset Password
: User must change password at next logon
@echo off&&powershell -NoE -C "&{ipmo ActiveDirectory;
Set-ADAccountPassword ($u=Read-Host 'User') -R;Set-ADUser $u -Ch 1}"

: 154 characters
: Reset Password
: User must change password at next logon
: Alternate credentials @echo off&&powershell -NoE -C "&{ipmo ActiveDirectory;
Set-ADAccountPassword ($u=Read-Host 'User') -R -Cr ($c=Get-Credential);
Set-ADUser $u -Ch 1 -Cr $c}"

: 191 characters
: Reset Password
: User must change password at next logon
: Alternate credentials
: Target a specific DC
@echo off&&powershell -NoE -C "&{ipmo ActiveDirectory;
Set-ADAccountPassword -Cr ($c=Get-Credential) -S ($s=Read-Host 'DC')
 -I ($u=Read-Host 'User') -R;Set-ADUser $u -Ch 1 -Cr $c -Server $s}"

Depending on how you would like to perform the password reset there are four options presented here for your shortcut.  Simply copy the line you want to use and paste it into a batch file on the desktop for the helpdesk.  Here are the flavors:

  • Password reset
  • User must change password at next logon (always a good idea)
  • Reset the password using alternate credentials
  • Target a different domain controller to initiate the change

Just copy the line you want into a text file on the desktop and put ‘.BAT’ at the end of the file name.  Enjoy!

The Code

At first glance these lines may be a bit challenging to understand.  That’s because I’ve maximized the use of aliases and abbreviations to tighten these lines down to merely a few characters.  I usually avoid these for readability, but in this case I was aiming for brevity.  Plus it’s just fun.

Let’s break down the longest line:

  • @echo off
    • This is batch language to hide the commands when you run them.
  • &&
    • This is how we cheat in batch language and put everything on one line.
  • powershell -NoE –C
    • Launch PowerShell, leave the window open when complete (in case there are any errors to view), and run this command…
  • "&{
    • Now we’re in PowerShell, and the ‘&’ is the invoke operator.  This tells PowerShell to run everything inside the code block { }.
  • ipmo ActiveDirectory;
    • Import-Module ActiveDirectory.  Then ‘;’ is the new line character so we can cheat in PowerShell and keep it all on one line.
  • Set-ADAccountPassword -Cr ($c=Get-Credential) -S ($s=Read-Host 'DC') -I ($u=Read-Host 'User') -R;
    • This is where the magic happens.  There is no alias to shorten the cmdlet, but we’ve abbreviated all of the parameters: Credential, Server, Identity, and Reset.  By capturing each of these values into a variable we can reuse them in the next cmdlet without having to prompt for the values again.
  • Set-ADUser $u -Ch 1 -Cr $c -Server $s}"
    • ChangePasswordAtLogon become ‘Ch’. ‘Cr’ again is Credential.  Because this cmdlet has so many parameters beginning with ‘S’ we have to use the full parameter name for ‘Server’.

What other language could do this in less than 200 characters?  Now that’s PowerShell!

One Small Prerequisite

In order for the helpdesk to use this code they will need to install the Windows 7 or Windows 8 Remote Server Administration Tools (RSAT) and turn on the feature Active Directory Module for Windows PowerShell.  Most likely the RSAT are already installed for other administrative tasks, so they can check the GUI box pictured here:

image

‘Tis The Season

Password resets will never go out of season.  Armed with these new batch lines perhaps your Monday mornings will go faster and the elves in the toy shop can get back to what they do best… making new Microsoft Surface tablets to put under the Christmas tree.

ADPS_Password_Reset_Batch.txt