I’m going to assume you have at least PowerShell 3.0; otherwise, you will need to make sure you manually import the ActiveDirectory module first. If you don’t have that on your desktop, then download and install the latest Remote Server Administration Tools (RSAT).
The basics ^
The cmdlet to use is called Set-ADAccountPassword. To use it, all you need to do is specify the account and the new password and that you are resetting it. If you don’t use the –Reset option, you have to also specify the user’s old password. The only tricky part is that the new password must be specified as a SecureString. You can create it like this:
PS C:\> $newpwd = Read-Host "Enter the new password" -AsSecureString Enter the new password: ********
Or you can create it without any user intervention:
PS C:\> $newpwd = ConvertTo-SecureString -String "P@ssw0rd" -AsPlainText –Force
You need to use all the parameters. Otherwise, you will still get prompted or get an error.
Do it for one ^
Armed with the new password, you'll find it is as easy as this to reset a user’s password:
PS C:\> Set-ADAccountPassword jfrost -NewPassword $newpwd –Reset
With this simple command, I’ve reset the password for user Jack Frost. The command uses my current credentials, but it also supports –Credential if I want to make the change using a different account.
This cmdlet changes only the password. But many organizations also want to force users to change their password at the next logon. I can do that as well by adding another step to my pipelined expression. If you try this command, you’ll notice that you get nothing written to the pipeline. This is the default behavior unless you use –Passthru.
When you do that, you get the user object, which is handy because this can be piped to Set-ADuser.
PS C:\> Set-ADAccountPassword jfrost -NewPassword $newpwd -Reset -PassThru | Set-ADuser -ChangePasswordAtLogon $True
Unfortunately, at least in my opinion, the –ChangePasswordAtLogon is not a switch, so you have to explicitly specify a Boolean value. But it works!
User must change password at next logon
Do it for many ^
The beauty of PowerShell is that if you can do something for one object, such as a user account, you can do it for many. I already have code that works for resetting the password and forcing the user to change a password at the next logon. All I have to do is come up with a PowerShell expression to get the necessary user accounts.
Let’s say I need to force a password reset on all users in the Marketing Department. A command like this will return all of the enabled accounts:
PS C:\> get-aduser -filter "department -eq 'marketing' -AND enabled -eq 'True'"
After verifying the accounts, I can add on the rest of my command:
PS C:\> get-aduser -filter "department -eq 'marketing' -AND enabled -eq 'True'" | Set-ADAccountPassword -NewPassword $newpwd -Reset -PassThru | Set-ADuser -ChangePasswordAtLogon $True
This command will give all the users the same new password and then force them to change it the next time they use it. If I simply wanted to force them all to change their existing passwords the next time they logged on, I could drop the Set-ADAccountPassword part of my expression:
PS C:\> get-aduser -filter "department -eq 'marketing' -AND enabled -eq 'True'" | Set-ADuser -ChangePasswordAtLogon $True
I hope you can appreciate how easy this is to accomplish and that there’s no scripting involved at all. But there is a fair amount of typing, so in my next article we’ll look at some ways to package this functionality.