powershell reset active directory password

May 14, 2012

(original post from: http://blogs.technet.com/b/heyscriptingguy/archive/2010/08/17/how-to-change-a-user-s-active-directory-password-with-powershell.aspx)


To change a user’s password using Windows PowerShell, you can use the [adsi] type accelerator. To do this, make a connection to the user object by passing the entire distinguished name of the user. This line of the code is shown here (keep in mind that LDAP is all capital letters, and does not refer to a police department in southern California):

$oUser = [adsi]”LDAP://$user”

Next, call the invoke method from the psbase object, and invoke the setpassword method while passing the password. Then you must commit the changes. This is shown here:


The Set-AdUserPwd.ps1 script is seen here.


Function Set-AdUserPwd
) #end param
$oUser = [adsi]”LDAP://$user”
} # end function Set-AdUserPwd
Set-AdUserPwd -user “cn=bob,ou=HSG_TestOU,dc=nwtraders,dc=com” -pwd P@ssword1

The Set-AdUserPwd.ps1 script runs on both Windows PowerShell 2.0 and Windows PowerShell 1.0. It will work on any version of AD. A much better approach, however, is available when using the Active Directory Domain Services (AD DS) cmdlets from Windows Server 2008 R2; there is the Set-ADAccountPassword Windows PowerShell cmdlet. Changing a user’s password does not require you to write a script; you can do it directly in the Windows PowerShell console. As a nice security advantage, the password is masked on the console line and encrypted on the wire.

For a good introduction to using the Active Directory Domain Services Windows 2008 R2 cmdlets, see the What’s Up with Active Directory Domain Services Cmdlets.

The first thing that must be accomplished is to import the Active Directory module. It is possible to add this command to your Windows PowerShell profile, and it might even make sense if you routinely work with AD. A recent series of Hey, Scripting Guy! Blog posts talks about the Windows PowerShell profile, and will assist you in deciding what to add and what to leave out. The Import-Module cmdlet is used to import the AD module.

Import-Module ac*

After the AD module has been imported, the Set-ADAccountPassword cmdlet can be used to reset the password. You do not have to use the complete distinguished name for the user. To reset the password use the –reset switch. Interestingly enough, even though the help files state that not including the old password with the new one will force the user to change the password on logon, in my testing this was not the case. In addition, if you leave out the new password parameter, the cmdlet prompts for it. The basic command is shown here:

Set-ADAccountPassword -Identity bob -Reset

The output from the Set-ADAccountPassword command is shown here.

Image of output from Set-ADAccountPassword command