Need to reset users’ Active Directory passwords? Here are several ways to do it

There are many reasons why admins must reset Active Directory passwords for user accounts, and there are several ways to do this. You can use Active Directory Users and Computers MMC, DSMOD command line tool, ADSI programming, and PowerShell cmdlets. Third-party Active Directory management tools also offer Active Directory management tasks that include resetting user’s passwords. You can perform password reset operation for a single user account by using built-in and third-party tools, but in case you wish to reset the password for multiple user accounts, you will be required to use a scripting approach or use a tool that can help you select all users and then set the password. In this article, we will explain various ways to reset user accounts passwords.

Permissions to reset Active Directory passwords

Before you can perform the password reset operation, it is important to note that you must have sufficient permissions in Active Directory. A normal user account cannot reset passwords of other user accounts. At a minimum, you must be a member of Account Operations security group in the Active Directory domain.

Resetting passwords using Active Directory Users and Computers MMC

If you wish to reset the password of a user account from Active Directory Users and Computers MMC, follow the steps below:

  • Log on to a computer using a domain user account who is a member of the Accounts Operators security group.
  • Open Active Directory Users and Computers.
  • Find the user account whose password you want to reset.
  • In the right pane, right click on the user account and then click on the “Reset Password” action.
  • You need to type and confirm the password.

In case you want the user to change the password during the next logon, you must select “User Must Change Password at Next Logon” option.

Problem: In Active Directory Users and Computers MMC, you can select multiple user accounts and then set a common password for selected users. One problem with Active Directory Users and Computers MMC approach is that you can only select users in a single organizational unit and only a common password can be set for selected users. In case you need to set a unique password for multiple user accounts, you will be required to use the PowerShell approach. PowerShell provides a better control and helps you set a unique password for each user from a CSV file.

Resetting passwords using Dsmod command line

The Dsmod command line tool has been in use for quite some time. Dsmod stands for Directory Service Modification. The tool was designed when Microsoft was in the process of developing PowerShell cmdlets to be used with most of the Windows Server roles and features, including Active Directory. Although Dsmod is no longer used by Active Directory administrators because PowerShell provides greater flexibility over any other old tools, Dsmod does quite a nice job when it comes to modifying user accounts properties including resetting a password. To reset the password of a user account using Dsmod, execute this command:

DSMOD User <DistinguishedName Of The User> -PWD <NewPassword> -MustChPWD Yes

As you can see in the above command, “Dsmod User” context can be used to reset the password of an Active Directory user account. However, the problem with Dsmod is that you must provide the distinguished name of the user account whose password you want to reset. In other words, Dsmod doesn’t accept SamAccountName of a user account.

Resetting passwords using PowerShell cmdlets

The preferred method to reset the password of single or multiple user accounts has always been PowerShell. You can use Set-ADAccountPassword PowerShell cmdlet to perform password reset operations for single or multiple users. It is important to note that Set-ADAccountPassword cmdlet provides the “-Identity” parameter, which can also accept SamAccountName of a user account apart from accepting distinguished name and user object GUID. This is the major advantage over the Dsmod command line tool. To reset the password for a single user account, execute the PowerShell command below:

Set-ADAccountPassword –Identity “CN=JohnThomas,OU=Production Users,DC=TechGenix,DC=Com” –Reset –NewPassword (ConvertTo-SecureString -AsPlainText "ThisPassword001" -Force)

The above command resets the password of a user account specified in the distinguished name format. If you wish to use SamAccountName of the user in the Set-ADAccountPassword cmdlet, use the PowerShell command below:

Set-ADAccountPassword –Identity JohnThomas –Reset –NewPassword (ConvertTo-SecureString -AsPlainText "ThisPassword001" -Force)

While both PowerShell commands above can only be used for a single user account, using a CSV file that contains a list of user accounts whose password you want to reset and adding a ForEach loop will help you reset password for more than one user account. For example, the PowerShell script below resets a unique password specified in the CSV file for each user.


$UserFile = "C:\Temp\UserWithPass.CSV"
Foreach ($AllItems in $UserFile)
{
$SamAccountName = $AllItems.SamAccountName
$ThisPassword = $AllItems.Password
Set-ADAccountPassword –Identity $SamAccountName –Reset –NewPassword (ConvertTo-SecureString -AsPlainText "$ThisPassword" -Force)
}


The above script assumes that a CSV file by the name “UserWithPass” is created under C:\Temp that contains SamAccountName and New Password of users. The script checks each username and password from the CSV file and then resets using the Set-ADAccountPassword cmdlet.

Using third-party management tools

There are third-party management tools that also offer ways to reset Active Directory passwords. Some tools can also be used to reset Active Directory passwords for multiple users from different organizational units.

Tip: Set-ADAccountPassword cmdlet can also target a production organizational unit where users are located, but to ensure a unique password is set for all users, you will be required to include a logic in the script that can generate a unique password for each user being processed by the script.

While you can use Active Directory Users and Computers MMC to reset Active Directory passwords, using the PowerShell method provides greater flexibility and also helps in resetting a unique password for each user specified in a CSV file.

Photo credit: Shutterstock

Nirmal Sharma

Nirmal Sharma is a MCSEx3, MCITP and was awarded the Microsoft MVP award in Directory Services and Windows Networking. He specializes in Microsoft Azure, Office 365, Directory Services, Failover Clusters, Hyper-V, PowerShell Scripting and System Center products. Nirmal has been involved with Microsoft Technologies since 1994. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles on various sites.

Share
Published by
Nirmal Sharma

Recent Posts

Key to success: Tracking down and unlocking locked files in Windows

Locked files in Windows can be a maddening experience. Thankfully, it is usually relatively easy to get a locked file…

2 hours ago

‘Made By Google’ 2019: Pixel 4 and Pixel 4 XL are finally official

The release of Google’s much-awaited new smartphones is official. The tech giant has unveiled the Pixel 4 and Pixel 4…

7 hours ago

COBIT 2019: An effective governance framework for IT pros

Every business with IT as part of its foundation needs a comprehensive governance strategy. This is where COBIT 2019 comes…

10 hours ago

WAN optimization: Fast tips to get your network up to speed

A wide-area network gradually slows down over time for several reasons. These WAN optimization tips can help you regain some…

1 day ago

Review: Self-service key recovery solution Specops Key Recovery

Helpdesks spend way too much of their time unlocking users’ computers. Specops Key Recovery is a self-service solution for this…

1 day ago

CSI: Enterprise Software (Episode 23): Follow the breadcrumbs

Managing software in today’s enterprise is often like working a crime scene. But by following the breadcrumbs, you can keep…

1 day ago