- Using PowerShell with $PSStyle - Mon, Jan 24 2022
- Clean up user profiles with PowerShell - Mon, Jun 9 2014
- Track user logons with a PowerShell script - Fri, Jun 6 2014
Requirements ^
First off, we’re going to assume that the person running your tool has the necessary credentials to change the user’s password, that they have the Active Directory RSAT module installed on their computer, that their execution policy is set to allow running your script and that they know how to execute a PowerShell script.
I’m also going to assume we’re building a tool to handle a single user at a time based on my code examples from my earlier column.
Console based script ^
Here is a very simple script that someone can run.
#requires -version 3.0
Param(
[Parameter(Position=0,Mandatory=$True,
HelpMessage="What is the user's SAMAccountname?")]
[string]$Username
)
#prompt for the new password
$NewPassword=$(Read-Host "Enter the user's temporary password" -AsSecureString)
#define a hash table of parameter values to splat to
#Set-ADAccountPassword
$paramHash = @{
Identity = $Username
NewPassword = $NewPassword
Reset = $True
Passthru = $True
ErrorAction = "Stop"
}
Try {
Set-ADAccountPassword @paramHash |
Set-ADUser -ChangePasswordAtLogon $True -PassThru
}
Catch {
Write-Warning "Failed to reset password for $Username"
#show what went wrong
Write-Warning $_.Exception.Message
}The only parameter is the user’s SAMAccountname. And if they don’t specify it, they will be prompted because I made the parameter mandatory. The user will be prompted for the password which will be treated as a secure string.
I’m splatting parameters to Set-ADAccountPassword only because it makes it easier I think to read the script. I’ve also included some error handling so that if the change fails PowerShell will display the warning message which includes the error message. The screenshot shows the script in action.
If the change is successful, the script writes the user account to the pipeline. For those of you with some PowerShell scripting experience you can take this as a starting point and go much further with it.
Get graphic ^
Or perhaps the person running your script is more comfortable with a more graphical experience. Without resorting to a full blown Winforms script here is a simpler approach using some VBScript-style elements.
#requires -version 3.0
Param()
$prompt = "Enter the user's SAMAccountname"
$Title = "Reset Password"
$Default = $null
Add-Type -AssemblyName "microsoft.visualbasic" -ErrorAction Stop
#use a VBScript style input box to prompt for the user name
$username = [microsoft.visualbasic.interaction]::InputBox($Prompt,$Title,$Default)
if ($username) {
#prompt for the new password
$prompt = "Enter the user's new password"
$Plaintext =[microsoft.visualbasic.interaction]::InputBox($Prompt,$Title,$Default)
#convert to secure string
$NewPassword = ConvertTo-SecureString -String $Plaintext -AsPlainText -Force
#define a hash table of parameter values to splat to
#Set-ADAccountPassword
$paramHash = @{
Identity = $Username
NewPassword = $NewPassword
Reset = $True
Passthru = $True
ErrorAction = "Stop"
}
Try {
$output = Set-ADAccountPassword @paramHash |
Set-ADUser -ChangePasswordAtLogon $True -PassThru |
Get-ADuser -Properties PasswordLastSet,PasswordExpired,WhenChanged | Out-String
#display user in a message box
$message = $output
$button = "OKOnly"
$icon = "Information"
[microsoft.visualbasic.interaction]::Msgbox($message,"$button,$icon",$title) | Out-Null
}
Catch {
#display error in a message box
$message = "Failed to reset password for $Username. $($_.Exception.Message)"
$button = "OKOnly"
$icon = "Exclamation"
[microsoft.visualbasic.interaction]::Msgbox($message,"$button,$icon",$title) | Out-Null
}
} #if user specifiedThis version doesn’t take any parameters. When the user starts the script they will be prompted for the user name using an InputBox.
And then for a password.
There is no way to mask the password here using this control. It can be done using a Windows form, which is more complicated than I want to get into. After the change is made, this version of the script gets the user account, including a few properties and displays the results in another message box.
Any errors are also displayed with a message box.
Summary ^
As you can see from the error, my script is searching the entire domain. It also requires the person running the script to know the user’s SAMAccountname. But perhaps you need to limit the scope of your tool or make it even easier to use. I’ll show you that next time.
Great post and alot of good information that I’ve used to create a tool in our environment. My next question is, is there any way in PowerShell to create a Password expiry notification tool that would be used to notify users that their password expires in X number of days? I’d love to have one that would do 7 day, 2 day, 1 day notifications. I’ve done some research and testing but it’s not an easy one that’s for sure 🙂
Mike, have a look at this.
Looking for a script similar to this one but you dont set the password, you simply force a reset. So user gets prompted for the input of the SAMAccountName and the end user is notified they have to change their password when they login the next time.