Active Directory Bulk Password Reset using PowerShell

Active Directory Bulk Password Reset using PowerShell. Using the Graphical User Interface (GUI) to reset Active Directory (AD) user passwords is the most commonly used method, as it is convenient and accessible. However, the GUI is not always an efficient tool when resetting multiple user passwords. Conveniently, we have a specific cmdlet in PowerShell that we can use to reset passwords in bulk.

With Windows PowerShell, we can quickly reset AD user passwords and even generate complex random passwords automatically. And if needed, we can also create a script that can reset the AD user passwords in bulk.

Active Directory Bulk Password Reset

Prerequisites

To use the several cmdlet examples covered in this article, be sure we have the following:

Setting the AD Account Password

Microsoft conveniently provides the Active Directory PowerShell module to install the Remote Server Administration Tools (RSAT). The Active Directory module includes the cmdlets admins use to manage many aspects of the AD, including resetting passwords. The command responsible for resetting passwords is the Set-ADAccountPassword cmdlet, and we will learn more about the said command in the following section.

Resetting a User Password in PowerShell

Before we can reset an AD user’s password, we have to have two required pieces of information ready, the AD user and the new password to assign. These two values are what we will provide to the Set-ADAccountPassword cmdlet.

Now that we know which cmdlet to use and the minimum required values, we can proceed by following the steps below to reset an AD user’s password. Make sure that before doing the steps, you have the Active Directory module already imported.

				
					Import-Module ActiveDirectory
				
			

Create a Secure String Password Object

Create the secure string representation of the new password by running the command below in PowerShell. The ConvertTo-SecureString command will convert the plain text password into a secure string and save it to a variable. The Active Directory requires the command ConvertTo-SecureString only to accept passwords processed through the secure string command.

				
					$TempPassword = ConvertTo-SecureString "SecurePass123!" -AsPlainText -Force
				
			

The -AsPlainText parameter converts a plain text string to a secure string. The secure string cmdlets aid in the protection of the sensitive text. For privacy, the text is encrypted and then removed from computer memory after use. If you use this parameter to offer plain text as input, the system will not be able to safeguard it. When utilizing the -AsPlainText argument in PowerShell 7, the -Force parameter is no longer required. While the argument is no longer utilized, it was kept to ensure compatibility with older PowerShell versions.

Note: Ensure that the new password complies with your organization’s AD password complexity requirements. Some organizations will enforce a minimum number of characters or conditions when creating a password. If the password requirements are not met, the script will not execute and throw an error.

Reset the AD User's Account

Next, reset the AD user’s account password by running command below.

				
					Set-ADAccountPassword -Identity johndoe -NewPassword $TempPassword -Reset
				
			

Since multiple parameters in our example above accompany the Set-ADAccountPassword command, let’s discuss each one of them.

  • The Identity parameter accepts the AD user’s primary ID as one of its values
  • The -NewPassword parameter accepts the secure password object we created in the previous step.
  • Lastly, the -Reset parameter instructs the cmdlet to reset the user’s password. The -Reset switch is commonly used when the user doesn’t know their old password.

Change the User's Password Upon Next Logon

As a best practice, we can enforce the user to change the temporary password upon the next login by running the Set-ADUser command below with the -ChangePasswordAtLogon parameter and the Boolean value of $true.

				
					Set-ADUser -Identity johndoe -ChangePasswordAtLogon $true
				
			

Changing Your Credentials

Most organizations would require administrators to have two user accounts. One account is a standard day-to-day user, and the other is a user with administrator privileges. This practice of splitting roles is expected from security standpoint and follows the philosophy of separation of duties.

If your account is set up this way, we don’t have to go from your ordinary user to your administrator account to reset an AD user’s password.

When running the Set-ADAccountPassword command, we can specify your admin credential using the -Credential argument. We will run the command in the context of our admin account. To do so, follow the steps outlined below.

Declare a Variable For Your Credentials

First, use the Get-Credential cmdlet to get your admin credential, then perform the command below to save it to a variable.

				
					$AdminCreds = Get-Credential
				
			

Enter Your Credentials When Prompted

Enter your administrator username and password credentials in the prompted request dialog box, then click OK.

Run Our Previous Reset Password Snippet

Finally, run the snippet of code to reset the AD user’s password. The snippet of code below is similar to the previous syntax above. However, the only difference is that we need to use the credential parameter if we want to use a different set of credentials when resetting a password.

				
					 $TempPassword = ConvertTo-SecureString "SecurePassword123!" -AsPlainText -Force
 Set-ADAccountPassword -Identity johndoe -NewPassword $TempPassword -Credential $AdminCreds
				
			

Resetting Multiple User Passwords in PowerShell

So far, we have only been resetting single user passwords using the Set-ADAccountPassword cmdlet. But working with PowerShell allows us to execute bulk operations through scripting. And through scripting, we can reset the passwords of multiple users in one go.

Prepare Your List of Users that Needs Resetting

Create a new text file with a list of user identities. In my case, the text file is C:\PS\users.txt, and it will contain the users of example IDs listed below. Of course, you can put as many users as you like in this text file as long as there is just one user per line.

				
					johndoe
paulwright
sheilarowlands
				
			

Create the PowerShell File

Next, create a new file called bulk_reset.ps1 in your code editor. We can put this file in any folder we desire. The script will be in C:\PS in this case. Your folder should now look something like the screenshot below.

Formulate the Snippet For Bulk Processing

Open your newly created bulk_reset.ps1 file in a code editor, preferably PowerShell ISE. Paste the snippet of code below to the PowerShell file.

				
					 Import-Module ActiveDirectory

 $users = Get-Content C:\PS\users.txt

 foreach ($user in $users) {

     $Password = -join ((33..126) | Get-Random -Count 5 | ForEach-Object { [char]$_ })

     $NewPwd = ConvertTo-SecureString $Password -AsPlainText -Force

     Set-ADAccountPassword $user -NewPassword $NewPwd -Reset

     Set-ADUser -Identity $user -ChangePasswordAtLogon $true

     Write-Host $user, $Password
 }
				
			

We know this is a large code block that new PowerShell users will find hard to read, so let us drill down further.

  • Line 1: Imports the Active Directory Module.
  • Line 3: Gets all users listed inside a text file and places them in the variable with an Array List data type. This method is the same if we manually keyed in the data inside an array, just like the snippet of code below.
				
					$users = @("johndoe","paulwright","sheilarowlands")
				
			
  • Line 5: Processes all users in the list by reiterating them with the foreach loop.
  • Line 7: Generates a random password and stores them within the Password variable. The line gets five random numbers with the Get-Random command from the range of 33 to 126. These numbers are converted to a character set ASCII before joining them as a single string with the -join operator.
  • Line 9: Converts the randomly generated password into a secure password object.
  • Line 11: Resets the user account to the newly generated password.
  • Line 13: Sets the user account to require a change of new password upon next login.
  • Line 15: Successfully displays the username and the new temporary password.

Run the PowerShell Script

Finally, execute the script by running its full path in PowerShell, as we can see below.

				
					powershell.exe C:\PS\bulk_reset.ps1
				
			

As a result, each user now has a new password, as shown below. Furthermore, these passwords can directly be copied and distributed to their appropriate users.

Reset Password Results

Reset AD User Passwords Using PowerShell ADSI

We may also utilize PowerShell’s Active Directory Service Interface (ADSI) to change an AD user’s password. ADSI is a set of COM interfaces used to access the functionality of directory services from various network providers. We may use ADSI to reset passwords in systems where the RSAT is not available, and it works with previous PowerShell versions and any Active Directory version.

Follow the steps below to utilize ADSI in PowerShell to reset an AD user’s password.

Determine the Distinguished Name of the AD User

First, locate the distinguished name of the AD user. In this example, the johndoe user’s distinguished name is

				
					LDAP://CN=johndoe,CN=Users,DC=Marketing,DC=ABCCompany,DC=Local.
				
			

If we are unsure what the user’s distinguished name is, we may run the script below.

				
					Get-ADUser -Identity johndoe -Properties * | Select-Object DistinguishedName
				
			

Create a New ADSI Object

Create a new ADSI object containing the AD user by running the code below.

				
					$userid = [ADSI]"LDAP://CN=johndoe,CN=Users,DC=Marketing,DC=ABCCompany,DC=Local"
				
			

Note that we should always write the LDAP component of the distinguished name in capital letters. The password reset will not function if we use lowercase letters.

Reset the AD User Password

Run the command below to set the password for the AD user. The invoke function of the ADSI object is called with this command below.

				
					$userid.psbase.invoke("SetPassword",'SecretPass123!')
				
			

After you’ve changed the password for the AD user, run the command below to call the ADSI object’s CommitChanges() method. This method successfully completes the password change for the user.

				
					$userid.psbase.CommitChanges()
				
			

Bulk Password Reset Best Practices

With our article Active Directory Bulk Password Reset using PowerShell, we shall summarize the bulk password reset best practices. There will be a requirement for a bulk password reset but it does not happen very often. What are best practices and use cases for doing a bulk password reset? Let’s see below.

1. Create a different password for each user. It is extremely unsafe if every user has the same password.

2. Do not email the password to the users. It increases security of your AD users list even further.
3.  Do communicate with  your supervisor and the helpdesk know your doing a bulk password reset. 
4. Account compromised – If it was a single account that was compromised then a reset probably is not needed.

5. If multiple accounts were compromised through phishing email or virus then a bulk reset  must be performed. Maybe a single account was compromised? Check the process of what could have gone wrong during the new account setup or you forgot what password you set.

6.Set long password (12+).

7. Do not set passwords to never expire.

Active Directory Bulk Password Reset using PowerShell Conclusion

This article aims to teach us a better alternative to resetting AD user passwords. We have learned different ways to reset AD user passwords using PowerShell using the Set-ADAccountPassword cmdlet and ADSI.

Avatar for Marion Mendoza
Marion Mendoza

Windows Server and VMware SME. Powershell Guru. Currently working with Fortune 500 companies responsible for participating in 3rd level systems support across the enterprise. Acting as a Windows Server engineer and VMware Specialist.

0 0 votes
Article Rating
Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x