Summary: The Scripting Guys discuss using Windows PowerShell to change a user's Active Directory password in this how-to article.
Hey, Scripting Guy! I need to be able to change a user’s password by using Windows PowerShell. In the VBScript days, I had a script that I had essentially copied from the How Can I Change a User’s Password? Scripting Guy post. The problem is that when I attempt something like that using Windows PowerShell, it fails. This is a real problem because we have many calls to the help desk from users who for whatever reason are forgetting their passwords. This has gotten worse since we began to enforce password complexity and shortened the amount of time between password changes. We need to implement a self-serve password solution, but those things are expensive.
Microsoft Scripting Guy Ed Wilson here. It is almost inevitable that when a group of network administrators get together, their stories soon involve clueless users. There may be many reasons for this, but I think one of the main causes is simply the proliferation of computers and the way in which they have touched nearly every aspect of life. Because a user has a computer at home, they tend to think they know all about computers at work. I mean, welders do not get evening phone calls from their co-workers who are trying to weld aluminum with a 3/32 7018 rod and are experiencing predictably poor results, do they?
Yet, I cannot count the number of times when I was a network administrator and I received phone calls at night and on weekends from co-workers who were attempting to perform a similar operation on their home computers. Some user stories have become legendary. The broken retractable “cup holder” on the computer, and the missing “any key” are two such stories that spring to mind. More pedestrian user stories nearly always surround users and passwords. I could spend nearly a week writing such stories from my own experience, but by the end of the week, you would either be bored or in tears. Neither is the desired reader experience for this blog.
SD, luckily the little critter whose picture I took in Chattanooga, TN, is not actually a network user. But he does appear to be ready for winter.
To change a user’s password using Windows PowerShell, you can use the [adsi] type accelerator. To do this, make a connection to the user object by passing the entire distinguished name of the user. This line of the code is shown here (keep in mind that LDAP is all capital letters, and does not refer to a police department in southern California):
$oUser = [adsi]"LDAP://$user"
Next, call the invoke method from the psbase object, and invoke the setpassword method while passing the password. Then you must commit the changes. This is shown here:
The Set-AdUserPwd.ps1 script is seen here.
) #end param
$oUser = [adsi]"LDAP://$user"
} # end function Set-AdUserPwd
Set-AdUserPwd -user "cn=bob,ou=HSG_TestOU,dc=nwtraders,dc=com" -pwd P@ssword1
The Set-AdUserPwd.ps1 script runs on both Windows PowerShell 2.0 and Windows PowerShell 1.0. It will work on any version of AD. A much better approach, however, is available when using the Active Directory Domain Services (AD DS) cmdlets from Windows Server 2008 R2; there is the Set-ADAccountPassword Windows PowerShell cmdlet. Changing a user’s password does not require you to write a script; you can do it directly in the Windows PowerShell console. As a nice security advantage, the password is masked on the console line and encrypted on the wire.
For a good introduction to using the Active Directory Domain Services Windows 2008 R2 cmdlets, see the What’s Up with Active Directory Domain Services Cmdlets.
The first thing that must be accomplished is to import the Active Directory module. It is possible to add this command to your Windows PowerShell profile, and it might even make sense if you routinely work with AD. A recent series of Hey, Scripting Guy! Blog posts talks about the Windows PowerShell profile, and will assist you in deciding what to add and what to leave out. The Import-Module cmdlet is used to import the AD module.
After the AD module has been imported, the Set-ADAccountPassword cmdlet can be used to reset the password. You do not have to use the complete distinguished name for the user. To reset the password use the –reset switch. Interestingly enough, even though the help files state that not including the old password with the new one will force the user to change the password on logon, in my testing this was not the case. In addition, if you leave out the new password parameter, the cmdlet prompts for it. The basic command is shown here:
Set-ADAccountPassword -Identity bob -Reset
The output from the Set-ADAccountPassword command is shown here.
If you need to change a local user password, you may want to use the Set Local User Password script I wrote for the Windows 7 Resource Kit. I have posted it on the Scripting Guys Script Repository because it is too long to show here.
SD, that is all there is to changing a user’s Active Directory password via Windows PowerShell. User Management Week will continue tomorrow when we will talk about retrieving the members of a group in Active Directory in alphabetical order.
We invite you follow us on Twitter and Facebook. If you have any questions, send email to us at firstname.lastname@example.org, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.
Ed Wilson and Craig Liebendorfer, Scripting Guys