When you are working in a company and one of your responsibilities is your user support then one of the request that receive from your users is that <<I forgot my password>>, <<I locked out>>, <<I forgot to change my password>>.
The most common way to resolve this issue is to login to to the Domain Controller and reset or change the password of the user from the Active Directory.
However, today I would like to explain you how can change the user password with PowerShell.
If you don't use PowerShell very often It's faster and easier than you are think.
Prerequisites
Before we start to play with the PowerShell commands let's see what we need.
- You must be a member of a Domain Admin account or Administrator account that he has access to reset the password of the users
- A domain-joined Windows machine that include the Active Directory PowerShell module
Let's see which is the different between change password and reset password.
The change password permission requires that the person who will change the password know the user current password. But the reset password permission doesn't require to know the user current password.
So when you are give permissions to other Administrators should be very careful.
How to change a user password with PowerShell
When you should change the user password with the PowerShell you can do it with the following commands
The command will be ask for the Current Password and request to type a new password
Another command that you can use is the following
Set-ADAccountPassword -Identity user1 -OldPassword (ConvertTo-SecureString -AsPlainText "Myp@ss!!1"-Force) -NewPassword (Convertto-SecureString -Asplaintext "Myp@ssw2" -Force)
How to reset the user password with PowerShell
If a user has forgot his password then is easier to reset user password from the PowerShell.
The following command will be reset the user password.
Set-ADAccountPassword -Identity user1 -NewPassword (ConvertTo-SecureString -Asplaintext "Myt@st!2024" -Force)
How to verify that you have change the user password with PowerShell
If you have change a user password with PowerShell you can ask the user to login with the new password and verify that all it's ok.
However, sometimes you need to have a proof that the user password has changed or reset.
In this case you can use the following command to list the Date/Time that the user password was changed. I used the select name,pass* to list only the relative results.
Get-ADUser -Identity user1 -Properties * | select name,pass*
In other cases you can use the command to find out what exactly you need. Then use the select with the relative options.
Get-ADUser -Identity user1 -Properties *
How to prompt a user to change the password at the Next Login
The following command will be prompt the user to change the password. In this case the user should type the old password and then give the new one.
The specific command it's more useful to include it in a script. It's very rare to use this PowerShell command when you are should change a user password. The reason is that you should know the user password before change it with a new one.
Set-ADAccountPassword -Identity user1
How to get a list of users with the password expiration date
Sometimes it's helpful to have a list of users with the password expiration date. Other times might be a requirement to be aware when users password will be expired.
Years ago I published an article with a script that can retrieve a list of the users with the password expiration date.
You can find the article Find when user password expired with Powershell | Askme4Tech for those that they need more details.
However, I would like to share only the script here to get an idea how we can do it.
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" |Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}
In the example above we use the User Properties DisplayName and msDS-UserPasswordExpiryTimeComputed. But if you will try to run the command without the Select-Object after the pipeline (|) you will get a number in the Property msDS-UserPasswordExpiryTimeComputed like the image.
So, we need to use the Select-Object to change the Property msDS-UserPasswordExpiryTimeComputed in a readable date/time value.
PowerShell commands related with the user management can give you an easier and faster way to respond when a user should change a password because he/she forgot it or expired.
If you like the shell then you can do almost everything from Powershell about the user management in Active Directory.
Have a nice weekend !!