- Active Directory Issues
- Ways to reset Active Directory Password
Ways to reset Active Directory Password
When Active Directory users forget their domain passwords or let their passwords expire, it becomes the admins’ burden to reset the passwords. Password-related help desk tickets are still one of the most common tickets received by the help desk. Resetting passwords quickly and securely is important. There are multiple methods through which admins can reset a user’s password. They are:
- Active Directory Users and Computers (ADUC) console
- DSMOD command-line tool
- PowerShell script
- Third-party Active Directory password management tools
In this article, we will see how to use these methods to reset Active Directory passwords and which method is best suited.
Before you begin
Irrespective of the method you use, it is important that you have sufficient permissions in Active Directory to reset users’ passwords. You must either be part of the Domain Admins group or at the least be a member of Account Operations security group in Active Directory. If you are delegating the reset password tasks to help desk technicians, you can use the OU delegation feature in AD to assign reset password permission.
Resetting passwords through ADUC console
Note: If you don’t have access to the domain controller, make sure you install the Remote Server Administration Tools (RSAT) and enable the ADUC MMC snap-in.
- Log in to a domain-connected computer and open the Active Directory Users and Computers console.
- Find the user account whose password you want to reset.
- In the right pane, right-click on the user account and select Reset Password.
- Type the new password and enter it again to confirm.
Using ADUC, you can select multiple user accounts and then set a common password for the selected users. However, you can only select users in a single organizational unit and only a common password can be set for the selected users.
Resetting passwords using Dsmod command line
The Directory Service Modification (Dsmod) tool is a command-line tool that can be used in Windows Server 2003 to Windows Server 2012 to modify directory service objects. It is available if you have the Active Directory Domain Services (AD DS) server role installed. Although, PowerShell has replaced Dsmod, it is still a great tool for modifying user account properties including resetting passwords.
To use Dsmod, you must run the Dsmod command from an elevated Command Prompt. To open an elevated Command Prompt, click Start, right-click Command Prompt, and then click Run as administrator.
To reset the password for John Doe and force him to change his password when he next logs on to the network, type:
DSMOD user "CN=John Doe,CN=Users,DC=mydomain,DC=Com" -pwd A1b2C3d4 -mustchpwd yes
While this command seems simple enough, you need to provide the distinguished name of the user. Dsmod commands don’t accept sAMAccountName. Further, resetting passwords of multiple user accounts would make the command more complex and error prone.
Resetting passwords using PowerShell cmdlets
The Set-ADAccountPassword PowerShell cmdlet can be used to perform password reset operations. This cmdlet provides the “-Identity” parameter, which can accept sAMAccountName of a user account apart from accepting Distinguished Name and user object GUID. To reset the password for a single user account, execute the PowerShell command below:
Set-ADAccountPassword –Identity JohnDoe –Reset –NewPassword (ConvertTo-SecureString -AsPlainText "ThisPassword001" -Force)
While PowerShell scripts are a great way to reset a user’s password, the script would get too complex if you want to reset passwords of multiple users.
Resetting passwords using ADSelfService Plus
ADSelfService Plus, an integrated Active Directory self-service password management and single sign-on solution, empowers end users to reset passwords on their own. It employs secure authentication methods, such as YubiKey Authenticator, Google Authenticator, and biometric authentication, to verify users’ identities before allowing them to reset passwords. There’s more:
- Users can reset their Active Directory passwords right from the login screen of their Windows, Linux, and macOS machines, as well as through their mobile devices using the ADSelfService Plus Android and iOS apps.
- Self-service password reset and account unlock can be enabled for all the users in the domain or for specific users by creating OU and group-based policies.
- Passwords can be checked for complexity and compliance through the built-in password policy enhancer feature which contains dictionary rule, pattern checker, and other complexity settings that are missing in AD domain password policy.
To enable self-service password reset for Active Directory users using ADSelfService Plus:
- Download and install ADSelfService Plus.
- Log in using admin credentials.
- You’ll be asked to configure your AD domain. For authentication, make sure you provide an account that has reset password privilege in Active Directory.
- Go to Configuration > Self-Service > Policy Configuration.
- Select the Reset Password checkbox. Then, click Select OUs/Groups to select the users to whom you want to enable this feature.
- Click Save Policy.
- Click Multi-Factor Authentication (below Policy Configuration menu).
- Set up the necessary multi-factor authentication methods. Based on the methods you choose, users may need to provide the information required for that method in a process called enrollment.
- Now enroll users by going to Configuration > Administrative Tools > Quick Enrollment. You can automatically enroll users, send them a notification, or force them to enroll.
Note: By default, both the username and passwords for ADSelfervice Plus is admin.
That’s it! Once users are enrolled, they can reset their passwords, without contacting the help desk.
You may also like
1. What is self-service Active Directory password reset?
Self-service Active Directory password reset, as the name suggests, is the process for users to reset their own Active Directory passwords without help desk assistance.
2. Why is self-service password reset better than help desk-assisted password reset?
Self-service password reset empowers users to reset their own Active Directory passwords without having to wait for a help desk personnel to assist them. This ensures that users don't put their work on hold because of a forgotten password, especially while working during odd shifts when help desk assistance might not be available.
In help desk-aided password resets, the newly set password is communicated to the user either through email or SMS, both of which are unsecure methods. If exposed or traced by hackers, it can lead to account takeover attacks and the consequences can be devastating. Self-service password reset eliminates these security vulnerabilities by enabling users to reset their own passwords without any third-party intervention.
3. What Active Directory password reset tool can I deploy in my organization?
You can leverage ADSelfService Plus' self-service AD password reset capability in your organization. ADSelfService Plus provides a simple, user-friendly console for both admins and end users to interact with. ADSelfService Plus secures all of it's self-service functionalities with strong multi-factor authentication (MFA) validators, like biometrics, YubiKey, smart card, and time-based one-time passwords. You can choose from 19 modern authenticators to provide MFA for your users' self-service password reset action.
To gain a better understanding of ADSelfService Plus' self-service password reset capability, please schedule a personalized web demo with our product experts.
4. What are the prominent features of ADSelfService Plus' self-service password reset capability?
With ADSelfService Plus' self-service password reset capability, users can:
- Reset passwords from logon screens.
- Reset passwords from web browsers.
- Reset passwords from mobile devices.
- Reset passwords from a private network.
- Securely perform password resets after identity verification using adaptive MFA.
ADSelfService Plus also supports
Enable context-based MFA with 19 different authentication factors for endpoint and application logins.Learn more
Enterprise single sign-on
Allow users to access all enterprise applications with a single, secure authentication flow.Learn more
Remote work enablement
Enhance remote work with cached credential updates, secure logins, and mobile password management.Learn more
Establish an efficient and secure IT environment through integration with SIEM, ITSM, and IAM tools.Learn more
Delegate profile updates and group subscriptions to end users and monitor these self-service actions with approval workflows.Learn more
Create a Zero Trust environment with advanced identity verification techniques and render your networks impenetrable to threats.Learn more
Fill this form todownload the solution brief
You'll be receiving the savings report in your inbox shortly.