Active Directory password reset is a typical call driver to any organization’s help desk. This task may seem ridiculously simple that involves searching for the user account in the Active Directory Users and Computers console and resetting the password from there.
Of course, you still need to manually set the new password, meaning you have to devise one or use a third-party password generator. Some are probably guilty of using the same Active Directory reset password—probably a security risk.
But surely you wouldn’t use the same password when you reset Active Directory user password if you can, right? In this case, you can use PowerShell to complete a change AD password request that automatically generates a unique random password.
In this post, we’ll learn how to reset Active Directory user passwords in PowerShell, which automatically generates a random password. We’ll also build a PowerShell reset AD password script that can be reused or shared with your team.
Requirements
This post will use the following:
- A Windows 2019 server with Active Directory and domain controller roles.
- A Windows computer with the Active Directory PowerShell module installed. This module is already present if you’ll be working on an AD server. But if you’ll be a separate domain-joined Windows computer, you must install the Remote Server Administration Tools (RSAT) first.
- Windows PowerShell 5.1. Tested working with PowerShell 7.2.3.
- User accounts that will be targeted for password resets.
Reset Active Directory User Password in PowerShell (Manual)
Before you start, you must know the username of the user account whose password you will reset. Also, you should already have the new password that you will set to that account. For example, the username is joesmith, and the new password is “n3wP@5$w0rd”.
Open a PowerShell window and import the Active Directory PowerShell module.
Import-Module activedirectory
Next, confirm that the user account is valid by running the Get-ADUser cmdlet.
Get-ADUser -Identity joesmith
As you can see, the result shows that the account is valid, and we can target it for the AD password reset.
Let’s first store the new password as a secure string to reset the user’s password.
$newPassword = 'n3wP@5$w0rd' | ConvertTo-SecureString -AsPlainText -Force
Finally, run the Set-ADAccountPassword with the -Reset parameter to force reset the user’s password.
Set-ADAccountPassword -Identity joesmith -NewPassword $newPassword -Reset
That’s it! You’ve successfully reset the user account password in PowerShell.
Reset Active Directory User Password in PowerShell (Script)
Notice that in the previous method, we’ve had to issue several commands and manually create a new password for one user. What if you have more than one user account to reset at once? Will you generate a new password every time, or will you use the same password? DON’T!
Instead of reusing the same password and re-issuing the same command for different users, let’s use a script that will do most of the work.
Copy the script below and save it as Reset-UserPassword.ps1. What does this script do?
- It accepts multiple user IDs.
- It generates a random password. The default password length is 14 but can be set to a minimum of 8 and a maximum of 256. The password characters will consist of these character groups in order: uppercase, lowercase, numeric, and special characters.
- It resets the user password and returns the result to the screen, which you can export to TXT, CSV, JSON, XML, to whichever file format you prefer.
You can also download the script from this gist.
This script accepts two parameters:
- -Identity — one or more AD user identities. For example: -Identity ‘user1′,’ user2’. This parameter is mandatory.
- -NewPasswordLength — the length of the new password to generate. This parameter is optional. If not specified, the default password length will be 14 characters.
# Reset-UserPassword.ps1
[cmdletbinding()]
Param (
# Accepted values:
# * SamAccountName (joesmith)
# * ObjectGUID (54b0ebed-2d39-4378-8acb-efca96efcf8f)
# * DistinguishedName (CN=Joe Smith,CN=Users,DC=dev,DC=int)
[Parameter(Mandatory, ValueFromPipeline)]
[string[]]
$Identity,
# The fixed length of the new password.
# * Minimum = 8
# * Maximum = 256
# * Default = 14
[Parameter()]
[Int]
$NewPasswordLength = 14
)
Begin {
# Make sure the password length is from 8 to 256.
if ($NewPasswordLength -notin (8..256)) {
"The -NewPasswordLegth value is not within the range of 8 and 256." | Out-Default
exit
}
Import-Module activedirectory -Force
# Define the character sets based on uppercase, lowercase, numeric, and special categories.
$CharacterSet = [System.Collections.ArrayList]@()
$null = $CharacterSet.Add($(('ABCDEFGHJKLMNPQRSTUVWXYZ').ToCharArray())) # Character group 0
$null = $CharacterSet.Add($(('abcdefghijkmnopqrstuvwxyz').ToCharArray())) # Character group 1
$null = $CharacterSet.Add($(('23456789').ToCharArray())) # Character group 2
$null = $CharacterSet.Add($(('*$-+?_&=!%{}/').ToCharArray())) # Character group 3
}
Process {
#Region Generate_Password
foreach ($currentId in $Identity) {
# Initialize an empty password
$newPassword = ""
do {
# Generate the password with a set of 4 characters in this order:
# uppercase, lowercase, numeric, special. Repeat until the
# new password length is equal to the $NewPasswordLength value.
0..($CharacterSet.Count - 1) | ForEach-Object {
if ($newPassword.Length -lt $NewPasswordLength) {
# Add a random character to the password from the current character group set.
$newPassword += $CharacterSet[$_][$(Get-Random -Minimum 0 -Maximum ($CharacterSet[$_].Count))]
}
}
}
# Stop when the random password length is equal to the specified $NewPasswordLength.
until ($newPassword.Length -eq $NewPasswordLength)
#EndRegion Generate_Password
#Region Reset_Password
try {
# Get the user account properties
$userObject = Get-ADUser -Identity $currentId -Properties DisplayName -ErrorAction Stop
# Reset the AD User password
Set-ADAccountPassword -Identity $userObject.DistinguishedName -NewPassword ($newPassword | ConvertTo-SecureString -AsPlainText -Force)
# Force the user to change the password on the next log on
Set-ADuser -Identity $userObject.DistinguishedName -ChangePasswordAtLogon $true
# Return the result
$([pscustomobject]@{
Identity = $userObject.SamAccountName
'Display name' = $userObject.DisplayName
'New Password' = $newPassword
'Result' = 'Sucessful.'
})
}
catch {
$([pscustomobject]@{
Identity = $currentId
'Display name' = '-'
'New Password' = '-'
'Result' = "Failed. $($_.Exception.Message)"
})
}
}
#EndRegion Reset_Password
}
End {
}Once you’ve saved the script, you can now call it to reset the password of one or more users.
Example 1: Single User AD Password Reset
This example resets the password of a single user. The new password length is 14 (default).
.\Reset-UserPassword.ps1 -Identity joesmith
Example 2: Multiple User AD Password Reset
If you have multiple user AD password reset requests, you can process them in one go. The example below will reset the users’ passwords in the $adUsers array. The new passwords will be 8 characters long.
# Store usernames in an array
$adUsers = @('joesmith','laracross','psychosam')
# Execute active directory reset password
.\Reset-UserPassword.ps1 -Identity $adUsers -NewPasswordLength 8
Notice that one user AD password reset failed? That’s because that user account does not exist in the Active Directory. You can see that this script clearly shows you the error if and when it happens, taking out the guesswork!
You can also pass the user identities to the pipeline like so:
$adUsers | .\Reset-UserPassword.ps1 -NewPasswordLength 8
Example 3: Bulk User AD Password Reset from a Text File
In a typical PowerShell fashion, you can also import the list of users from a text file and pass then to the script to reset their passwords.
For example, this command will import the list of users from the .\users.txt file and process the user AD password reset for each.
Get-Content .\users.txt | .\Reset-UserPassword.ps1 -NewPasswordLength 12
Conclusion
Thank you for staying until the end of this post. I hope you’ve learned the basics of how to reset Active Directory user password in PowerShell.
Translating the PowerShell commands into a PowerShell script can make the job of administrators and first-line support easier. So get into the habit of automating mundane tasks, like User AD Password Reset, and lessen the manual workload moving forward.
