Related features:

Related Powershell Guides:

How to reset Active Directory domain passwords

The following is a comparison between resetting Active Directory domain passwords using Windows PowerShell and ADSelfService Plus:

With PowerShell
  1. Reset a password for a user account using a distinguished name
    Set-ADAccountPassword -Identity 'CN=John Smith,OU=Accounts,DC=Fabrikam,DC=com' -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "password@123" -Force)
  2. Reset passwords for users by OU and group membership.

    Not supported.

With ADSelfService Plus
  1. For users: Self-service password reset, i.e., password reset without admin intervention
    1. Go to ADSelfService Plus admin portal.
    2. Navigate to Configuration > Self-Service > Policy Configuration.
    3. Select Password Reset.
      Configuring self-service password reset for Active Directory users using ADSelfService Plus
    4. Click Select OUs/Groups to granularly select which set of users need to be empowered with self-service account unlock feature.
      Steps to select the OUs and groups for self-service password reset using ADSelfService Plus
    5. Click Save.
  2. For admins: Reset all users in a domain
    1. Go to ADSelfService Plus admin portal.
    2. Navigate to Configuration > Self-Service > Policy Configuration > Advanced.
      Steps for admins to reset user passwords using ADSelfService Plus
    3. Enable Automatically resets domain user' password in your domain.

What are the limitations of using Windows PowerShell to reset passwords?

  • Doesn't allow end-users to reset their forgotten passwords on their own from their Windows login screen or their mobile phones.
  • It doesn't allow admins enable self-service password reset based on OU and group memberships.
  • Creating multiple automatic password reset schedulers for different set of users is a highly laborious process. Also, there's always a possibility of admin privilege exploitation if not maintained properly.

Benefits of ADSelfService Plus

  • Self-service password reset (SSPR): With ADSelfService Plus, users can reset their passwords from:
      • The logon screens of their Windows, Linux, or macOS machines.
      • Web browsers by accessing the ADSelfService Plus portal, which can be configured to be accessed through all major web browsers.
      • Their mobile devices by accessing the ADSelfService Plus iOS or Android mobile app or mobile site.
      • Their private networks, even remotely. Furthermore resetting their passwords, ADSelfService Plus also lets users update their cached credentials.
  • Improves ROI: Enables users to perform self-service password reset and reduces IT expense.
  • Improves IT security: Supports advanced multi-factor authentication techniques like biometrics and YubiKey to secure self-service password resets and account unlocks.
  • Universal enforcement: Admins can enforce the self-service password reset feature for users' Active Directory and cloud account.
  • Improves user experience: Zero wait time as it allows users to reset Azure AD passwords, from anywhere, at any time.

Resetting AD passwords using PowerShell

Step 1: Connect to Active Directory

Ensure you are connected to AD before running the script. This loads the AD module required for user management.

Import-Module ActiveDirectory

Step 2: Create a password reset function

Define a script to handle password resets securely. This function resets passwords for specified users.

function Reset-UserPassword {
param (
[string]$Username,
[string]$NewPassword
)

$SecurePassword = ConvertTo-SecureString $NewPassword -AsPlainText -Force
Set-ADAccountPassword -Identity $Username -NewPassword $SecurePassword -Reset
Write-Host "Password reset successfully for $Username"
}

Step 3: Allow users to reset their passwords

Create a simple user prompt to accept input. This script prompts users for their username and new password.

$Username = Read-Host "Enter your username"
$NewPassword = Read-Host "Enter new password" -AsSecureString

Reset-UserPassword -Username $Username -NewPassword (ConvertFrom-SecureString $NewPassword)

Step 4: Automate the process

Run this script as a self-service reset tool. This script automates self-service password resets by running the script at startup.

$trigger = New-ScheduledTaskTrigger -AtStartup
$action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\SelfServiceReset.ps1"
Register-ScheduledTask -TaskName "SelfServiceReset" -Trigger $trigger -Action $action -User "SYSTEM"

FAQs

1. How does self-service password reset work in AD?

Users can reset passwords without IT intervention using an automated PowerShell script.

2. Can I allow only specific users to reset their passwords?

Yes, you can use group-based access control to restrict access to specific users.

3. How do I check password reset attempts?

Use the script below to get password reset attempt event logs:

Get-EventLog -LogName Security -InstanceId 4724

Empower users to unlock their Active Directory and cloud accounts.

Try it now for free

ADSelfService Plus trusted by

A single pane of glass for complete self service password management
Password Self-ServiceDirectory Self-ServiceOne IdentitySecurityRelated Products

A single pane of glass for complete self service password management

Free Trial Get Quote
Email Download Link