Reset User Password in Active Directory & Change AD Credentials
Admins may not know how to reset user password in Active Directory after an unexpected incident. Here is a list of some of the most commonly reported cases that force organizations to update the passwords of their users.
Password forgotten and user account gets locked. This is a common user-level mistake so while admins are unlocking AD accounts with PowerShell they also have to set a new password.
Other than that if admins find that users have an insecure and easy-to-guess password that violates compliance then a password reset is called upon.
If admins find inactive computers in Active Directory they have to relocate the user’s accounts. During this, a password reset is part of a protocol. Likewise, a role change, coming back from a long leave, or a request from the user’s side all can be responsible for this task.
No matter what your scenario is, the methods outlined here are more than enough to change the login credentials. Without further ado, let us begin with the script-based methods.
Table of Contents
How to Reset User Password in Active Directory Via PowerShell Scripts?
PowerShell scripts are perhaps the most robust method of performing password updates. Start by forming a list of all users whose password reset is due.
The list should be in CSV format so that PowerShell commands can be easily read and used.
- Open a new Windows PowerShell ISE.
- Paste and Save the following script to reset user passwords in Active Directory.
Import-CSV -Path "C:\Users\Administrator\Desktop\change-user-password.csv"|
ForEach-Object {
Set-ADAccountPassword -Identity $_.'DistinguishedName' -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "*New-User-Password*" -Force)
}
# Define the time period for recent password changes
$days = 1
$date = (Get-Date).AddDays(-$days)
# Get all users and filter them based on pwdLastSet
Get-ADUser -Filter * -Properties pwdLastSet |
Where-Object { [DateTime]::FromFileTime($_.pwdLastSet) -gt $date } |
Select-Object Name, @{Name="Last Password Set";Expression={[DateTime]::FromFileTime($_.pwdLastSet)}} | Sort-Object Name | Format-Table
- Finally, tap the run button.
You can make custom changes to the script so that it sets a new unique password for each user.
Although the script displays the password changes, we would suggest using the tool as it offers a more intuitive way to look at the changes. Moreover, admins can export their findings with this utility in CSV format.
A simpler code-based method is also present so if you want, check out the next section.
Command Line Query to Change Password in AD
There are two distinct command line queries available for you.
First, we have
dsmod user "CN=<UserName>,CN=<ContainerName>,DC=<DomainName>,DC=<DomainController>" -pwd <NewPassword> -mustchpwd <Yes>
Note: The “mustchpwd” parameter is optional. Use it when you want the user to set a new password next time they login on their end.
Replace the placeholders with your AD details
An alternative to reset user passwords in Active Directory is:
net user <username> <newpassword> /DOMAIN
Replace the username and new password variables
There are some differences between the two
| Feature | net user | dsmod user |
| Scope | Local and domain user accounts | Active Directory user accounts |
| Functionality | Basic user management | Advanced user management |
| Typical Use Case | Quick password changes | Detailed AD user property modifications |
| Complexity | Simpler to use | Requires knowledge of DN and AD structure |
PowerShell and Command Line are not the only ways to change passwords; you can use the traditional ADUC snap-in to perform the reset.
How to Reset AD User Password Using ADUC
- Search for Active Directory Users and Computers
- Navigate to the Container with the User
- Right-click and select the Reset Password… option.
- Type a new password and confirm the reset password in Active Directory task by hitting the OK button.
- A notification box should inform you about the change.
You can also find the same settings under the Action tab on the main menu. Other than ADUC, there is one more GUI-based password resetting technique available to the admin.
Conduct Active Directory Password Change Process with ADAC
- Launch Active Directory Admin Center
- Go to the Users section
- Scroll to find and select the user whose AD password needs to be reset.
- Choose the Reset Password option from the right side pane.
- Fill in the credentials in the pop-up window and hit OK.
However, admins may need another method if there is a bulk password change. This is because, unlike the technique used to disable multiple users in an Active Directory, the reset password option vanishes from the menu if you select more than one user. So it’s better to rely on the PowerShell method described early on.
Best Practices to Change Password in AD
These are the industry standards for updating or resetting passwords. Your organization may have other guidelines so follow them whenever there is a conflict.
- Prepare a list of users whose passwords must be reset with the help of the easy-to-use SysTools Active Directory Reporting Software.
- Launch > Register > Validate and Download the user CSV list with this tool.
- Administrators should ensure that the passwords maintain a basic security threshold. This is to be done after you reset user passwords in Active Directory. Keep in mind that every password on the network should be different. Users should not share passwords and avoid simple, easy-to-guess phrases as credentials.
- The password update policy should be automated to trigger at regular intervals. Keep space between two consecutive password changes. Otherwise, users may face lockout issues.
- A password is considered strong if it has a healthy combination of small, capital letters, numbers, and special characters. Therefore, ask users to use all these and maintain a password that is 8–16 characters long.
Conclusion
In this tutorial, we gave admins all the methods to reset user password in Active Directory environment. Our discussion consisted of PowerShell scripts for bulk updates and command-line queries for quick changes. Moreover, those uncomfortable with code can rely on the traditional GUI method, which showcases both ADAC and ADUC. After using any of these methods, admins must verify if the change was successful or not. For that, they can rely on the professional utility mentioned alongside.
Frequently Asked Questions on AD Password Reset
Q. Can I as a user reset my Active Directory password?
A. There is no direct answer as the password reset policy varies from organization to organization. There are some companies that allow a self-service credential reset. Whereas in other organizations IT Admin, reserves the sole right to reset passwords.
Q. How long does a bulk password update take in an AD?
A. Depending on the number of users and the method used the overall time can vary drastically. However, one thing is for sure the PowerShell method is the fastest way. Admins can only reset all user passwords in Active Directory at once if they have a premade list of user accounts whose passwords are in post expiry period or are near the expiry date. For that, the best way is to use the automated utility.
Q. When is the best time to reset the AD password?
A. After a merger or acquisition brings in new users admin might trigger an organization-wide password reset. Other than that it is also among the most critical steps in case of a security breach. And sometimes organizations do this simply as a matter of policy.
