The administrator can change the password of the local users on the computer using the Local Users and Groups (lusrmgr.msc) graphic snap-in. To change the password of an AD domain user, the Active Directory Users and Computer (ADUC) GUI console is mainly used. However, in some cases, the administrator may need to change the user’s password from the command prompt or within some script. In this article we will show how to manage user’s passwords (both local and domain) using PowerShell.
How to Change Active Directory User Password with PowerShell?
To change an Active Directory user password, use the Set-ADAccountPassword cmdlet from the Active Directory module for Windows PowerShell. Of course, the user who runs the cmdlet must have domain administrator privileges or should be delegated to reset passwords of an AD users.
Before using the Set-ADAccountPassword cmdlet, you must import this module into a PowerShell session:
Import-Module ActiveDirectory
The password in the computer’s memory should preferably be stored in a protected form, so you can ask the administrator to specify the password as follows:
$newPass=Read-Host "Enter the new user password" -AsSecureString
Enter the new password in the PowerShell console.
It is better to specify the AD account name in the form of samAccountname. For example, to change the password for user jkelly, run the command:
Set-ADAccountPassword jkelly -NewPassword $newPass
You can set a new user password directly inside the script code:
Set-ADAccountPassword jkelly–NewPassword (ConvertTo-SecureString -AsPlainText –String "St0ngPwd@d" -force)
If you want the user to change the password on the next login, perform the command:
Set-ADUser jkelly -ChangePasswordAtLogon $True
You can reset the password for several users at once (assume that account names are stored in a plain text file user_to_reset.txt). Use this script:
Get-Content C:\PS\user_to_reset.txt | Set-ADAccountPassword -NewPassword $newPass -Reset
How to Change the Password for a Windows Local Accounts?
To change the passwords of local Windows users, you can use the ADSI (Active Directory Services Interface) API, which can be used to interact with Active Directory or with stand-alone computers.
Open the PowerShell command prompt and list the local user accounts on the current computer:
get-wmiobject win32_useraccount
You can also display a list of local users like this:
[adsi]$localPC = "WinNT://."
$localPC.Children | where {$_.Class -eq "user"} | ft name, description –auto
To reset a local user password, first select the user (in this example the local account name is ConfRoom):
[adsi]$user = "WinNT://./ConfRoom,user"
Set the password:
$user.SetPassword("newP@s32w02rd")
Additionally, you can request a password change at the next login:
$user.Put("PasswordExpired",1)
It remains to save the changes to the user account:
$user.SetInfo()
The same commands can be used to change the user’s password on remote computers. It is enough to replace [adsi]$user = ″WinNT://./ConfRoom,user″ with the command [adsi]$user = ″WinNT://RemotePCName/ConfRoom,user″.
To set the same password for all local users, use the following script:
$NewPass = "ThisIsNewP@33"
$localusers = Get-WmiObject -Class Win32_UserAccount -ComputerName $env:COMPUTERNAME -Filter LocalAccount='true' | select -ExpandProperty name
foreach ($user in $localusers)
{
$user
([adsi]"WinNT://$env:COMPUTERNAME/$user").SetPassword("$NewPass ")
}
The post Changing Local and Active Directory User Password Using PowerShell appeared first on TheITBros.