Over the last two articles we’ve been looking at ways to reset user passwords with PowerShell and the Active Directory module. I’ve demonstrated a number of techniques and let me wrap up today with a few more. I assume that ultimately you will put together a PowerShell tool that meets your business requirements. If you’ve missed my previous articles, take a few minutes to get caught up.
Latest posts by Jeffery Hicks (see all)

Limit the scope ^

Up until now, when I’ve searched for an AD user account, I’m searching the entire domain. But perhaps you want to limit the search to a particular organization unit (OU). The Get-ADUser cmdlet has a parameter called –SearchBase which will do just that. All you need to do is specify the distinguished name of the OU.

PS C:\> get-aduser -filter "enabled -eq 'true'" -SearchBase "OU=Sales and Marketing,OU=Departments,OU=Employees,DC=Globomantics,DC=local"

This command will return all enabled user accounts in the Sales and Marketing OU, including all child OUs. Here’s how we can use this.

An informal object picker ^

PowerShell 3 brought a neat change to Out-Gridview that allows you to select one or more objects and pass them to the pipeline. When I run code like this:

$OU="OU=Sales and Marketing,OU=Departments,OU=Employees,DC=Globomantics,DC=local"
$user = Get-ADUser -filter "enabled -eq 'true'" -SearchBase $OU -Properties * |
Select Name,SamAccountname,Surname,DistinguishedName,Department | 
Out-GridView -title "Select a user account or cancel" -OutputMode Single

I get a graphical grid display like this:

Graphical grid

I selected a few properties that I thought would make it easier to find the user account. I added a title and also told Out-Gridview to only allow selecting a single account. All the user of your script has to do is find the account and click OK. The object will be written back to the pipeline.

Using some of my previous code, I can tweak my parameter hash table.

$paramHash = @{
    Identity = $User.SamAccountname
    NewPassword = $NewPassword 
    Reset = $True
    Passthru = $True
    ErrorAction = "Stop"

Everything else is the same.

Putting it all together ^

Here’s the final script that uses the Out-Gridview picker and the VBScript message boxes from last time.

#requires -version 3.0

$OU="OU=Sales and Marketing,OU=Departments,OU=Employees,DC=Globomantics,DC=local"

#get all enabled user accounts in the OU
$user = Get-ADUser -filter "enabled -eq 'true'" -SearchBase $OU -Properties * |
Select Name,SamAccountname,Surname,DistinguishedName,Department | 
Out-GridView -title "Select a user account or cancel" -OutputMode Single

if ($user) {

    #prompt for the new password
    $prompt = "Enter the user's SAMAccountname"
    $Title = "Reset Password"
    $Default = $null

    Add-Type -AssemblyName "microsoft.visualbasic" -ErrorAction Stop
    $prompt = "Enter the user's new password"
    $Plaintext =[microsoft.visualbasic.interaction]::InputBox($Prompt,$Title,$Default)

    #only continue is there is text for the password
    if ($plaintext -match "^\w") {
    #convert to secure string
    $NewPassword = ConvertTo-SecureString -String $Plaintext -AsPlainText -Force

    #define a hash table of parameter values to splat to 
    $paramHash = @{
    Identity = $User.SamAccountname
    NewPassword = $NewPassword 
    Reset = $True
    Passthru = $True
    ErrorAction = "Stop"

    Try {
     $output = Set-ADAccountPassword @paramHash |
     Set-ADUser -ChangePasswordAtLogon $True -PassThru |
     Get-ADuser -Properties PasswordLastSet,PasswordExpired,WhenChanged | 

     #display user in a message box
     $message = $output
     $button = "OKOnly"
     $icon = "Information"
     [microsoft.visualbasic.interaction]::Msgbox($message,"$button,$icon",$title) | Out-Null

    Catch {
       #display error in a message box
        $message =  "Failed to reset password for $Username. $($_.Exception.Message)"
        $button = "OKOnly"
        $icon = "Exclamation"
       [microsoft.visualbasic.interaction]::Msgbox($message,"$button,$icon",$title) | Out-Null
    } #if plain text password

This version also includes a quick validation that a password was entered. If the plain text does not start with a word character the script will exit. You could modify this to add your own validation based on your password requirements. With this script, the only command line experience is to launch the script. Everything else will be graphical.

A variation ^

One final variation is that perhaps you are delegating this task at the group level. That is to say you want to limit listing users to members of a specific group. The account running your script would still need permissions to change the password for all members of the group. Here’s a one line solution:

Get-ADGroupMember -identity "chicago engineering" |
Out-GridView -Title "Select a user or cancel" -OutputMode Single |
Set-ADAccountPassword -Reset -PassThru | Set-ADUser -ChangePasswordAtLogon $true -PassThru

You would still get the grid view to select a user who belongs to the Chicago Engineering group. If you don’t specify a password you will be prompted. Here’s what it looks like:


You could stick this one-line into a script and you have an instant and targeted Active Directory tool that took very little time to develop.

Summary ^

You should now have a number of ideas and techniques for handling password resets using PowerShell. Ultimately what you assemble will depend on who is running your tool, and the scope of their management duties. If this entire scripting thing still has you a little puzzled, then I recommend grabbing a copy of Learn PowerShell Toolmaking in a Month of Lunches.

1 Comment
  1. Guigan 8 years ago

    yes powershell is great. use it to get the information that is wanted then fall back on the old cmd commnans net user /domain

Leave a reply

Your email address will not be published.


© 4sysops 2006 - 2022


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account