How to change domain user password from client machine

 Windows OS Hub / PowerShell / How to Reset an Active Directory User Password with PowerShell and ADUC?

In this article, we will look at how to change (reset) the password of one or multiple Active Directory users using the Active Directory Users and Computers graphical snap-in (ADUC), from the command line, or using the Set-ADAccountPassword PowerShell cmdlet.

Reset User Password with the Active Directory Console (Dsa.msc)

You can use the dsa.msc (Active Directory Users & Computers – ADUC) graphical snap-in to reset an Active Directory user’s password. Open the ADUC console and search for the user account for which you want to change the password. Right-click on it and select Reset password.

Enter a new password (twice). Here you can enable two options:

• User must change password at next logon – If you want the user to set himself a new password the next time he logs in;
• Unlock user’s account – enable this option if you want to unlock the user (if the account is locked by the AD security policy due to multiple login attempts with an incorrect password).

This is the easiest and most intuitive way to reset a domain user’s password.

Also in the user properties on the AD attribute editor tab, you can find information about the date of the last password change. This value is stored in the pwdLastSet user attribute.

To reset a user password, your account must have the appropriate privileges in the AD domain. By default, non-admin AD users cannot reset passwords of other accounts, and only members of the built-in Domain Admins and Account Operators groups have these rights.

You can grant other user groups permission to reset user passwords in specific OUs using Active Directory delegation. The link provides an example of delegating the permissions to reset passwords and unlock users to the HelpDesk group.

To check that your account has the permissions to reset the password of a specific AD user, open its properties, go to the Security tab -> Advanced -> Effective Access -> specify the name of your account -> make sure that you have Reset Password permission.

How to Reset a User’s Password in Active Directory with PowerShell?

You can use the Set-ADAccountPassword cmdlets to reset an Active Directory user’s password using PowerShell. This cmdlet is a part of the Active Directory for Windows PowerShell module (in the desktop Windows editions it is a part of RSAT). Import this module into your PowerShell session:

Import-module ActiveDirectory

To reset a password for the user jliebert and set a new password myP@ssw0rd112, run this command:

Set-ADAccountPassword jliebert -Reset -NewPassword (ConvertTo-SecureString -AsPlainText “myP@ssw0rd112” -Force -Verbose) –PassThru

By default, the cmdlet returns the object and displays nothing in the console. To display the information about the user object in AD, you CAN use the –PassThru parameter.

You can specify sAMAccountName (as in our case), objectGUID, user’s SID, or a DN (Distinguished Name, e. g., CN=jliebert,OU=Users,DC=woshub,DC=com) as a user name.

If you don’t specify the –Reset parameter when changing a user password, you must manually input the old and new account passwords.

Note. If an error occurs when resetting the user password using the Set-ADAccountPassword cmdlet:

Set-ADAccountPassword: The password does not meet the length, complexity, or history requirement of the domain.

This means that the user’s new password has some complexity, length, etc. requirements defined in the domain password policy or fine-grained password policy the account is subject to.

You can get the resulting password policy settings for a domain user as follows:

Get-ADUserResultantPasswordPolicy -Identity jliebert

If you have the PowerShell command history enabled and you don’t want passwords to be displayed in the PoSh console as plain text, you must convert the password into a secure string in the same way as when creating a new user account (you can read more about password protection in PowerShell scripts here):

$NewPasswd=Read-Host "Enter a new user password" –AsSecureString

You can now set a new password for the user:

Set-ADAccountPassword jliebert -Reset –NewPassword $NewPasswd –PassThru

When resetting a user password, you can force the account to unlock, if it was locked earlier (to find out from which computer the account is locked, read the article How to Find the Source of Account Lockouts in Active Directory?):

Unlock-ADAccount –Identity jliebert

To force a user to change his password the next time he logs in to the domain, run the following command:

Set-ADUser -Identity jliebert -ChangePasswordAtLogon $true

You can combine the password change command and the requirement to change the password (this is the userAccountControl object attribute) with the PowerShell one-liner:

Set-ADAccountPassword jliebert -NewPassword $NewPasswd -Reset -PassThru | Set-ADuser -ChangePasswordAtLogon $True

Using the Get-ADUser cmdlet, you can make sure that the password has been successfully reset and display the last date of the account password change:

Get-ADUser jliebert -Properties * | select name, pass*

When a password is reset, the EventID 4724 is registered on the domain controller (DC) security log. This event can help you identify the account that reset the user’s password.

You can find out when a user’s password expires according to the effective password policy settings using the PowerShell command:

Get-ADUser -Identity simonecole -Properties msDS-UserPasswordExpiryTimeComputed | select-object @{Name="ExpirationDate";Expression= {[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed") }}

How to Change Password for Multiple AD Users with PowerShell?

Above, we showed you how to reset the password of a single AD user using PowerShell. Now let’s look at another scenario where you need to change multiple users’ passwords at once.

For example, you want to reset the password of all employees in the Sales department to the same password and force them to change it the next time they log in. You can use the Get-ADUser –Filter command to select users with a specific value in one of the attributes:

get-aduser -filter "department -eq 'Sales Dept' -AND enabled -eq 'True'" | Set-ADAccountPassword -NewPassword $NewPasswd -Reset -PassThru | Set-ADuser -ChangePasswordAtLogon $True

Let’s look at another example. Suppose, you have a CSV/Excel file that contains a list of users who need to reset their passwords and a unique password for each user. Here is the format of the users.csv file:

sAMAccountName;NewPassword
acidicjustine;Pa$$w0r1
josephomoore;N$isory01
simonecole;k@32d3!2

You can reset a password for each user account in the specified CSV file with the following PowerShell script:

Import-Csv users.csv -Delimiter ";" | Foreach {
$NewPass = ConvertTo-SecureString -AsPlainText $_.NewPassword -Force
Set-ADAccountPassword -Identity $_.sAMAccountName -NewPassword $NewPass -Reset -PassThru | Set-ADUser -ChangePasswordAtLogon $false
}

After this code is executed, a new unique password will be set for all AD users in the file.

Changing Domain User Passwords from the Command Line

If you don’t have the ADUC console or the RSAT-AD-PowerShell module installed on your computer, you can reset the domain user password with the net use console command. To get information about a domain user, run the command:

net user jliebert /domain

The command line shows basic information about the user’s password properties in the domain:

Password last set            4/22/2022 2:15:15 AM
Password expires             Never
Password changeable          4/23/2022 2:15:15 AM
Password required            Yes
User may change password     Yes
Last logon                   4/22/2022 2:48:12 AM
Logon hours allowed   All

To reset this user’s password, run the command:

net user jliebert /domain *

Enter a new password and confirm it:

Type a password for the user: xxxx
Retype the password to confirm: xxxx
The command completed successfully.