Pricing  Get Quote

PowerShell password sync between AD domains

The PowerShell script given below synchronizes the passwords of users between their user accounts in two domains. ADSelfService Plus, a self-service password management and single sign-on solution, synchronizes changes made to a domain user's password to their user accounts in other Active Directory domains and even their user accounts in enterprise applications such as Google Workspace (formerly G Suite) and Office 365. Here is a comparison between password synchronization between two AD domains using PowerShell and ADSelfService Plus:


In order to synchronize passwords across a user's account in multiple domains, the DS-Internals module needs to be installed
Install-Module -Name DSInternals

Once you have installed the DS-Internals module, run the following script, create your credentials with this script:

$credential = Get-Credential;
$credential | Export-CliXml -Path '<enter the path of an XML file here>';

Now, run the following script

$sourceDomainNetBIOS = '<primary domain>';
$sourceDomainFQDN = '<primary domain>.com';
$sourceDomainDN = 'DC=<primary domain>,DC=com';
$sourceDomainCredential = Import-CliXml -Path '<enter the file path of an xml file here>';
$targetDomainNetBIOS = '<secondary domain>';
$targetDomainFQDN = '<secondary domain>.com';
$targetDomainDN = 'DC=<secondary domain>,DC=com';
$targetDomainCredential = Import-CliXml -Path '<enter file path of an XML file here>';
$syncGroup = 'Some Group';  $hashes = Get-ADReplAccount -All -NamingContext $sourceDomainDN -Server $sourceDomainFQDN -Credential $sourceDomainCredential;
$users = Get-ADGroupMember $syncGroup -server $targetDomainFQDN -Credential $targetDomainCredential;
foreach ($user in $users)
$currentUserHash = $hashes | ? {$_.saMAccountName -eq $user.SamAccountName};
$NTHash = ([System.BitConverter]::ToString($currentUserHash.NTHash) -replace '-','').ToLower();
Set-SamAccountPasswordHash -SamAccountName $user.SamAccountName -Domain $targetDomainNetBIOS -NTHash $NTHash -Server $targetDomainFQDN -Credential $targetDomainCredential;
Click to copy entire script

ADSelfService Plus

The Password Synchronization feature synchronizes the changes made to a domain user's password with their user accounts in other domains and enterprise applications.

For configuration:

  • In ADSelfService Plus, go to Application, Click Active Directory.
  • Provide an Application Name
  • Select the Domain Name of the domain to which the passwords must be synced.
  • Select the ADSelfService Plus policy whose users' password must be synced with their user accounts in other domains.
  • Click Advanced and select the Source Attribute and the Target Attribute in the domain to be synced. When these two attributes are linked to the user accounts in both the domains, the passwords are synced from the primary domain to the secondary.
  • Click Add Application.
PowerShell password sync between AD domains
Advantages of ADSelfService Plus:
  • Specify which user can synchronize their AD domain passwords:

    While creating the ADSelfService Plus policy, users belonging to specific domains, OUs and groups can be enabled to synchronize their passwords.

  • Synchronize the passwords between multiple domains:

    Administrators can enable the synchronization of AD passwords between any number of domains with just a few clicks.

  • Synchronize password changes made through multiple mediums:

    With ADSelfService Plus, password resets made from the ADSelfService portal and mobile app, and the Windows, macOS, and Linux login screens can be synchronized with the integrated applications. Native password changes (password resets in the ADUC portal and password changes in the Ctrl+Alt+Del console) can also be synchronized.

  • Synchronize AD password across multiple applications:

    Using ADSelfService Plus, users' passwords can be synchronized between AD domains and other enterprise systems and applications like AD LDS, Office 365 and Salesforce.

  • Audit password synchronization:

    The synchronization actions during a password reset and change are audited as reports that can be easily generated with a single click and exported in formats like CSV, HTML, XLS, and PDF.

Synchronize users Active Directory passwords across domains.

  Get 30-day free trial.


Related Resources

ADSelfService Plus trusted by

A single pane of glass for complete self service password management
Email Download Link