Need to reset users’ Active Directory passwords? Here are several ways to do it

By /

There are many reasons why admins must reset Active Directory passwords for user accounts, and there are several ways to do this. You can use Active Directory Users and Computers MMC, DSMOD command line tool, ADSI programming, and PowerShell cmdlets. Third-party Active Directory management tools also offer Active Directory management tasks that include resetting user’s passwords. You can perform password reset operation for a single user account by using built-in and third-party tools, but in case you wish to reset the password for multiple user accounts, you will be required to use a scripting approach or use a tool that can help you select all users and then set the password. In this article, we will explain various ways to reset user accounts passwords.

Permissions to reset Active Directory passwords

Reset Active Directory Passwords

Before you can perform the password reset operation, it is important to note that you must have sufficient permissions in Active Directory. A normal user account cannot reset passwords of other user accounts. At a minimum, you must be a member of Account Operations security group in the Active Directory domain.

Resetting passwords using Active Directory Users and Computers MMC

If you wish to reset the password of a user account from Active Directory Users and Computers MMC, follow the steps below:

  • Log on to a computer using a domain user account who is a member of the Accounts Operators security group.
  • Open Active Directory Users and Computers.
  • Find the user account whose password you want to reset.
  • In the right pane, right click on the user account and then click on the “Reset Password” action.
  • You need to type and confirm the password.

In case you want the user to change the password during the next logon, you must select “User Must Change Password at Next Logon” option.

Problem: In Active Directory Users and Computers MMC, you can select multiple user accounts and then set a common password for selected users. One problem with Active Directory Users and Computers MMC approach is that you can only select users in a single organizational unit and only a common password can be set for selected users. In case you need to set a unique password for multiple user accounts, you will be required to use the PowerShell approach. PowerShell provides a better control and helps you set a unique password for each user from a CSV file.

Resetting passwords using Dsmod command line

The Dsmod command line tool has been in use for quite some time. Dsmod stands for Directory Service Modification. The tool was designed when Microsoft was in the process of developing PowerShell cmdlets to be used with most of the Windows Server roles and features, including Active Directory. Although Dsmod is no longer used by Active Directory administrators because PowerShell provides greater flexibility over any other old tools, Dsmod does quite a nice job when it comes to modifying user accounts properties including resetting a password. To reset the password of a user account using Dsmod, execute this command:

DSMOD User <DistinguishedName Of The User> -PWD <NewPassword> -MustChPWD Yes

As you can see in the above command, “Dsmod User” context can be used to reset the password of an Active Directory user account. However, the problem with Dsmod is that you must provide the distinguished name of the user account whose password you want to reset. In other words, Dsmod doesn’t accept SamAccountName of a user account.

Resetting passwords using PowerShell cmdlets

The preferred method to reset the password of single or multiple user accounts has always been PowerShell. You can use Set-ADAccountPassword PowerShell cmdlet to perform password reset operations for single or multiple users. It is important to note that Set-ADAccountPassword cmdlet provides the “-Identity” parameter, which can also accept SamAccountName of a user account apart from accepting distinguished name and user object GUID. This is the major advantage over the Dsmod command line tool. To reset the password for a single user account, execute the PowerShell command below:

Set-ADAccountPassword –Identity “CN=JohnThomas,OU=Production Users,DC=TechGenix,DC=Com” –Reset –NewPassword (ConvertTo-SecureString -AsPlainText "ThisPassword001" -Force)

The above command resets the password of a user account specified in the distinguished name format. If you wish to use SamAccountName of the user in the Set-ADAccountPassword cmdlet, use the PowerShell command below:

Set-ADAccountPassword –Identity JohnThomas –Reset –NewPassword (ConvertTo-SecureString -AsPlainText "ThisPassword001" -Force)

While both PowerShell commands above can only be used for a single user account, using a CSV file that contains a list of user accounts whose password you want to reset and adding a ForEach loop will help you reset password for more than one user account. For example, the PowerShell script below resets a unique password specified in the CSV file for each user.

$UserFile = “C:\Temp\UserWithPass.CSV”
Foreach ($AllItems in $UserFile)
{
$SamAccountName = $AllItems.SamAccountName
$ThisPassword = $AllItems.Password
Set-ADAccountPassword –Identity $SamAccountName –Reset –NewPassword (ConvertTo-SecureString -AsPlainText “$ThisPassword” -Force)
}

The above script assumes that a CSV file by the name “UserWithPass” is created under C:\Temp that contains SamAccountName and New Password of users. The script checks each username and password from the CSV file and then resets using the Set-ADAccountPassword cmdlet.

Using third-party management tools

There are third-party management tools that also offer ways to reset Active Directory passwords. Some tools can also be used to reset Active Directory passwords for multiple users from different organizational units.

Tip: Set-ADAccountPassword cmdlet can also target a production organizational unit where users are located, but to ensure a unique password is set for all users, you will be required to include a logic in the script that can generate a unique password for each user being processed by the script.

While you can use Active Directory Users and Computers MMC to reset Active Directory passwords, using the PowerShell method provides greater flexibility and also helps in resetting a unique password for each user specified in a CSV file.

Photo credit: Shutterstock

About The Author

Nirmal Sharma is a MCSEx3, MCITP and was awarded the Microsoft MVP award in Directory Services and Windows Networking. He specializes in Microsoft Azure, Office 365, Directory Services, Failover Clusters, Hyper-V, PowerShell Scripting and System Center products. Nirmal has been involved with Microsoft Technologies since 1994. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles on various sites.

Read Next

10 thoughts on “Need to reset users’ Active Directory passwords? Here are several ways to do it”

  1. Byron

    It is missing an import-csv for the CSV file.

    $UserFile = “C:\Temp\UserWithPass.CSV” should be $UserFile = import-csv “C:\Temp\UserWithPass.CSV”

    Reply
  3. Dan Dan

    Ok, I remember that resetting a user’s password in ADUC would bring up a warning dialog… something about potential EFS issues, or something. I never used EFS so I never paid attention. I never see that dialog box anymore, does anyone remember it?

    Reply
    1. Steve

      Dan Dan, yes I remember. This has been replaced by Bitlocker I believe. When encrypting, you should backup the key. If connected to AD, it may be stored centrally.

      Reply
  4. Abdulrakeeb

    Resetting password ask for re-login to reflect the change. It is making problem if other applications are running in the server. Is there any alternative way to avoid re-login?

    Reply
  5. Dave

    I am running your script but getting an error as follows. What am I doing wrong?

    The script:
    $UserFile = import-csv “C:\Temp\UserWithPass.CSV”
    Foreach ($AllItems in $UserFile)
    {
    $SamAccountName = $AllItems.SamAccountName
    $ThisPassword = $AllItems.Password
    Set-ADAccountPassword –Identity $SamAccountName –Reset –NewPassword (ConvertTo-SecureString -AsPlainText “$ThisPassword” -Force)
    }

    The error:
    ConvertTo-SecureString : Cannot bind argument to parameter ‘String’ because it is an empty string.
    At C:\temp\Resetbulkpswd.ps1:6 char:92
    + Set-ADAccountPassword -Identity $SamAccountName -Reset -NewPassword (ConvertTo-SecureString <<<< -AsPlainText "$This
    Password" -Force)
    + CategoryInfo : InvalidData: (:) [ConvertTo-SecureString], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorEmptyStringNotAllowed,Microsoft.PowerShell.Commands.Conv
    ertToSecureStringCommand

    Reply
  8. Min

    hello
    I tried both and got below error
    set-adaccountpassword : The operation returned because the timeout limit was exceeded.
    At line:1 char:1
    + set-adaccountpassword -identity ‘consuelo.robles’ -reset -NewPassword …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : OperationTimeout: (consuelo.robles:ADAccount) [Set-ADAccountPas
    sword], TimeoutException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.TimeoutException,Microsoft.ActiveD
    irectory.Management.Commands.SetADAccountPassword

    any advice?
    thanks

    Reply
  9. Dixy

    Script is buggy. Give the error everyone state but you have not sent a correction. Exactly how should the csv file be formatted??

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top