There are many reasons why admins must reset Active Directory passwords for user accounts, and there are several ways to do this. You can use Active Directory Users and Computers MMC, DSMOD command line tool, ADSI programming, and PowerShell cmdlets. Third-party Active Directory management tools also offer Active Directory management tasks that include resetting user’s passwords. You can perform password reset operation for a single user account by using built-in and third-party tools, but in case you wish to reset the password for multiple user accounts, you will be required to use a scripting approach or use a tool that can help you select all users and then set the password. In this article, we will explain various ways to reset user accounts passwords.
Permissions to reset Active Directory passwords
Before you can perform the password reset operation, it is important to note that you must have sufficient permissions in Active Directory. A normal user account cannot reset passwords of other user accounts. At a minimum, you must be a member of Account Operations security group in the Active Directory domain.
Resetting passwords using Active Directory Users and Computers MMC
If you wish to reset the password of a user account from Active Directory Users and Computers MMC, follow the steps below:
- Log on to a computer using a domain user account who is a member of the Accounts Operators security group.
- Open Active Directory Users and Computers.
- Find the user account whose password you want to reset.
- In the right pane, right click on the user account and then click on the “Reset Password” action.
- You need to type and confirm the password.
In case you want the user to change the password during the next logon, you must select “User Must Change Password at Next Logon” option.
Problem: In Active Directory Users and Computers MMC, you can select multiple user accounts and then set a common password for selected users. One problem with Active Directory Users and Computers MMC approach is that you can only select users in a single organizational unit and only a common password can be set for selected users. In case you need to set a unique password for multiple user accounts, you will be required to use the PowerShell approach. PowerShell provides a better control and helps you set a unique password for each user from a CSV file.
Resetting passwords using Dsmod command line
The Dsmod command line tool has been in use for quite some time. Dsmod stands for Directory Service Modification. The tool was designed when Microsoft was in the process of developing PowerShell cmdlets to be used with most of the Windows Server roles and features, including Active Directory. Although Dsmod is no longer used by Active Directory administrators because PowerShell provides greater flexibility over any other old tools, Dsmod does quite a nice job when it comes to modifying user accounts properties including resetting a password. To reset the password of a user account using Dsmod, execute this command:
DSMOD User <DistinguishedName Of The User> -PWD <NewPassword> -MustChPWD Yes
As you can see in the above command, “Dsmod User” context can be used to reset the password of an Active Directory user account. However, the problem with Dsmod is that you must provide the distinguished name of the user account whose password you want to reset. In other words, Dsmod doesn’t accept SamAccountName of a user account.
Resetting passwords using PowerShell cmdlets
The preferred method to reset the password of single or multiple user accounts has always been PowerShell. You can use Set-ADAccountPassword PowerShell cmdlet to perform password reset operations for single or multiple users. It is important to note that Set-ADAccountPassword cmdlet provides the “-Identity” parameter, which can also accept SamAccountName of a user account apart from accepting distinguished name and user object GUID. This is the major advantage over the Dsmod command line tool. To reset the password for a single user account, execute the PowerShell command below:
Set-ADAccountPassword –Identity “CN=JohnThomas,OU=Production Users,DC=TechGenix,DC=Com” –Reset –NewPassword (ConvertTo-SecureString -AsPlainText "ThisPassword001" -Force)
The above command resets the password of a user account specified in the distinguished name format. If you wish to use SamAccountName of the user in the Set-ADAccountPassword cmdlet, use the PowerShell command below:
Set-ADAccountPassword –Identity JohnThomas –Reset –NewPassword (ConvertTo-SecureString -AsPlainText "ThisPassword001" -Force)
While both PowerShell commands above can only be used for a single user account, using a CSV file that contains a list of user accounts whose password you want to reset and adding a ForEach loop will help you reset password for more than one user account. For example, the PowerShell script below resets a unique password specified in the CSV file for each user.
$UserFile = "C:\Temp\UserWithPass.CSV"
Foreach ($AllItems in $UserFile)
$SamAccountName = $AllItems.SamAccountName
$ThisPassword = $AllItems.Password
Set-ADAccountPassword –Identity $SamAccountName –Reset –NewPassword (ConvertTo-SecureString -AsPlainText "$ThisPassword" -Force)
The above script assumes that a CSV file by the name “UserWithPass” is created under C:\Temp that contains SamAccountName and New Password of users. The script checks each username and password from the CSV file and then resets using the Set-ADAccountPassword cmdlet.
Using third-party management tools
There are third-party management tools that also offer ways to reset Active Directory passwords. Some tools can also be used to reset Active Directory passwords for multiple users from different organizational units.
Tip: Set-ADAccountPassword cmdlet can also target a production organizational unit where users are located, but to ensure a unique password is set for all users, you will be required to include a logic in the script that can generate a unique password for each user being processed by the script.
While you can use Active Directory Users and Computers MMC to reset Active Directory passwords, using the PowerShell method provides greater flexibility and also helps in resetting a unique password for each user specified in a CSV file.
Photo credit: Shutterstock