PowerShell How to Reset Password in Active Directory and Local Account
Windows makes it very simple for users to update, change, or reset their account passwords from the standard settings menu. But what if they forget the password or their account is disabled? Or maybe, you get an email from HR asking to change dozens of passwords in Active Directory (AD).
Enter PowerShell, which allows you to reset the passwords of a local account as well as an AD account with an appropriate cmdlet.
Let us deep dive into the topic and analyze various user cases of resetting user's passwords in AD and local accounts with PowerShell.
Part 1: Prerequisites for Resetting Password in PowerShell in AD
If you're planning to reset or change the user password in AD with PowerShell, be sure to fulfill certain conditions:
- Active Directory Module: Install the Remote Server Administration Tools (RSAT) on your system. It comes preloaded with the Active Directory module that you need to proceed.
- Administrative Privileges: You need to have the administrative permissions to reset passwords in Active Directory. Either you're a member of the Domain Admins group or at least, a member of the Accounts Operations group in Active Directory.
Key Takeaways
The Set-LocalUser Cmdlet: This is the basic cmdlet for resetting the password on a local account. Note that this command doesn't work on a 32-bit PowerShell on a 64-bit system.
Set-ADAccountPassword Cmdlet: Resets or changes the password of an Active Directory account. With this command, you can assign password values to numerous users in one go. It even can generate random, unique passwords for multiple users.
Part 2: Change the Password of Local User in PowerShell
If you need to reset the password for a local account on a Windows machine, the Set-LocalUser cmdlet is used. Below are various user cases that you should know about.
Resetting a Single Local User Password
Whether you want to change the password of a local user or in Active Directory, be sure to open PowerShell as administrator. Now, run the command to change the user password in PowerShell:
Set-LocalUser -Name Administrator -Password (Read-Host -AsSecureString "NewPassword") Here, replace "NewPassword" with a secure password when PowerShell prompts you to type in. Enter the password again to confirm the action. For security purposes, PowerShell doesn't display the characters on the screen.
And that's how simple it is to change a user password using PowerShell on Windows 10.
Part 3: Changing the Active Directory Password via PowerShell
The Set-ADAccountPassword cmdlet allows you to reset the passwords of single or multiple accounts with PowerShell. Let us analyze a few common cases of this command.
Case 1: Single User Password Reset in Active Directory
When trying to change the password in AD, the admin needs to mention the user's identity and the new password to assign. Now, to change the AD password of a single user in PowerShell, follow the below steps:
Step 1: Search for PowerShell in the Windows search bar at the bottom-left.
Step 2: Right-click Windows PowerShell and select "Run as administrator."
Step 3: Execute the below command:
Set-ADAccountPassword -Identity [username] -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "[newpassword]" -Force)Breakdown
1. In this command, you need to replace "username" with the username of the account and [new password] with the password of your choice.
2. Moreover, as the Set-ADAccountPassword cmdlet only accepts the string representation of the password, it's important to convert the password first. The ConvertTo-SecureString -AsPlainText does this purpose.
3. The "Reset" parameter specifies that it's a password reset activity, not a password change.
Case 2: Set New Password At the Next Logon
Do you want to force the user to change their password at the next login? It can be done easily using the [ChangePasswordAtLogon $true] parameter.
For instance, use the below command to force the "Worker03" to change the password at their logon:
Set-ADUser -Identity worker03 -ChangePasswordAtLogon $true Case 3: Multiple User Reset Password in AD With Same Value
With PowerShell, you can reset the passwords of dozens of accounts in a single go. This is particularly common in an organization where you want to change the passwords in bulk.
Suppose you want to set the same passwords for all the members of the Engineering department in an organization and require them to change their passwords at the next logon. In this case, use the below command:
Get-ADUser -filter "department -eq 'Engineering'" | Set-ADAccountPassword -NewPassword $Pwd -Reset -PassThru | Set-ADuser -ChangePasswordAtLogon $True 1. The Get-ADUser -Filter parameter specifies the password reset for the people in the "Engineering department".
2. The ChangePasswordAtLogon parameter requires them to set a new password the next time they log in.
3. The basic Set-ADAccountPassword cmdlet performs the task of resetting the passwords.
Case 4: Multiple User Reset Password in AD With Unique Values
One key advantage of using PowerShell is it lets you assign a unique password to each user. For this purpose, you need two things:
1. A list of users stored in a CSV, text, or Excel file.
2. Unique password values for each user.
Now, run the below command to change multiple passwords in Active Directory with PowerShell:
Import-Csv c:\temp\users_new_passwords.csv -Delimiter "," | Foreach {
$NewPassword = ConvertTo-SecureString -AsPlainText $_.NewPassword -Force
Set-ADAccountPassword -Identity $_.sAMAccountName -NewPassword $NewPassword -Reset -PassThru | Set-ADUser -ChangePasswordAtLogon $false}
Best Practices for Active Directory Password Reset in PowerShell
PowerShell allows admins to manage numerous user passwords with a single cmdlet. Before proceeding to reset the password with PowerShell, it's essential to take into consideration a few important tips:
1. Use Unique Passwords: When setting a new password, make it robust and complex which is difficult to guess. With PowerShell, you can assign unique passwords to different accounts in one go. A good password contains a mix of upper- and lower-case letters with a few numbers.
2. Update Password Regularly: Encourage the users to update their passwords regularly to enhance the security of their systems. It's best to change the password after every 3 months for maximum safety.
3. Set Account Lockouts: Enable the account lockout after a specific number of failed login attempts. Generally, people set the limit to 3 or 4 attempts for entering the correct password.
4. Use Different Passwords for Different Accounts: It's recommended to set a different password for each account, so if one account is compromised, the others are safe.
5. Apply in Test Environments: Using PowerShell to reset to change passwords demands the utmost care. If you're new to it, try to apply PowerShell cmdlets in a test environment before executing them in a professional scenario.
Bonus Tip: Manage PowerShell Passwords And Other Tasks Remotely
If you run a small enterprise and want to handle all the IT-related tasks remotely, try AirDroid Remote Support. It includes all the essential functions like real-time screen sharing, voice chatting, messaging and file transfer, to help you to provide remote support to clients and customers efficiently.
AirDroid boasts its ability to secure access to unattended devices as well, allowing you to manage a remote device without authorization. Moreover, the host has the full authority to display a "Black Screen" on the controlled device while performing tasks to enhance privacy.
And that's not all. It lets the manager manage device permissions by grouping as well as assign various levels of access rights to different users to streamline all the tasks. To cater to varying needs to different enterprises, AirDroid offers several premium plans you can choose from.
FAQs
Q1: How do I check if I have the Active Directory module installed?
Run the below command:
Get-Module -ListAvailable | Where-Object { $_.Name -eq "ActiveDirectory" }It will list the installed module on your machine. If not, install either the RSAT or AD DS role, which comes with the AD module.
Q2: Are there any password requirements in AD with PowerShell?
Yes, the password you enter should fulfill certain conditions, including:
1. A minimum length of 8 characters.
2. Must contain both lower- and uppercase letters including a number or a symbol.
3. Shouldn't be a straightforward sequence like Mycomputer@123.
Q3: How to check the default password policy in Active Directory?
To view the AD password policy, execute the below command in PowerShell:
Get-ADDefaultDomainPasswordPolicyFinal Remarks
As you can see, PowerShell makes it extremely easy to reset or change passwords in both users' accounts and AD accounts. It might seem hectic to write a lengthy command for a basic operation like password reset, but it comes in handy when you want to manage the passwords of numerous accounts.
Moreover, enterprises can use AirDroid Remote Support to provide remote assistance to clients and manage the whole IT infrastructure from a single, highly customizable interface. Thanks
Leave a Reply.