How to reset a password in Active Directory (ADUC, PowerShell, and Dsmod)

When Active Directory users forget their domain passwords or let their passwords expire, it becomes the admins’ responsibility to reset them. Password-related help desk tickets are still one of the most common requests, which is why knowing how to reset passwords in Active Directory quickly and securely is crucial.

There are multiple methods admins can use to reset an Active Directory user’s password:

• Active Directory Users and Computers (ADUC) console
• Dsmod command-line tool
• PowerShell script
• Self-service password reset with ADSelfService Plus

In this article, we’ll look at how each of these methods work to help you decide which one is best suited for your environment.

Prerequisites and permissions for password reset

Before you reset a user password in Active Directory, ensure the account performing the action has sufficient privileges.

Typically, password reset permissions are granted to:

• Members of the Domain Admins group.
• Members of the Account Operators group.
• Delegated help desk admins.
• IT support teams assigned OU-level rights.

Use delegation instead of full admin rights

Granting Domain Admin access for routine password resets increases risk. A better approach is to delegate only the Reset Password and Unlock Account permissions for specific OUs.

This follows the principle of least privilege and reduces exposure if an admin account is compromised.

Resetting Active Directory user passwords through the ADUC console

ADUC is the most common GUI method for resetting passwords.

Prerequisites

If ADUC is not installed:

• Install Remote Server Administration Tools (RSAT).
• Enable the ADUC snap-in through Microsoft Management Console.

Steps to reset a user password in Active Directory using ADUC:

1. Open ADUC.
2. Browse to the desired OU.
3. Search for the user account.
4. Right-click the account and select Reset Password.
5. Enter and confirm the new password.
6. Optionally, select User must change password at next logon.
7. Click OK.

Limitations of ADUC

• Requires administrative access and privileges.
• Leaves end users dependent on the admin.
• Limited reporting and automation.

Resetting Active Directory passwords using Dsmod command-line tool

Dsmod is a legacy command-line tool documented for older Windows Server environments that can modify Active Directory objects, including passwords. It's supported if you have the Active Directory Domain Services server role installed. Although PowerShell has replaced Dsmod, it is still a useful tool for modifying user account properties, including resetting passwords.

To use Dsmod, you must run the Dsmod command from an elevated Command Prompt. To open an elevated Command Prompt, click Start, right-click Command Prompt, and then click Run as administrator.

Sample command to reset user password in Active Directory using Dsmod:

dsmod user "CN=John Doe,CN=Users,DC=mydomain,DC=com" -pwd A1b2C3d4 -mustchpwd yes

Limitations of Dsmod

• Requires the account's Distinguished Name.
• Less user-friendly compared to other methods.
• Offers limited bulk support.
• Has been deprecated in modern environments.

Resetting Active Directory passwords using PowerShell

PowerShell is widely used to automate Active Directory management. When employing PowerShell to reset an Active Directory password, use the Set-ADAccountPassword cmdlet.

Sample command to reset user password in Active Directory using PowerShell:

Set-ADAccountPassword –Identity JohnDoe –Reset –NewPassword (ConvertTo-SecureString -AsPlainText "NewPassword123!" -Force)

This cmdlet supports sAMAccountName, Distinguished Name, and GUID, making it more flexible than Dsmod. However, if you need to reset passwords in Active Directory for multiple users, scripts can quickly become complex.

Limitations of PowerShell

• Usage requires scripting knowledge.
• Any errors can affect multiple users.

Resetting Active Directory passwords using ADSelfService Plus

ManageEngine ADSelfService Plus, a unified SSPR, MFA, and SSO solution, empowers end users to reset passwords in Active Directory on their own. It employs secure multi-factor authentication (MFA) methods, such as YubiKey Authenticator, Google Authenticator, and biometric authentication, to verify users’ identities before allowing them to reset passwords. Additionally:

• Users can reset their Active Directory passwords right from the login screen of their Windows, Linux, and macOS machines, as well as through their mobile devices using the ADSelfService Plus Android and iOS apps.
• Self-service password reset and account unlock can be enabled for all the users in the domain or for specific users by creating OU and group-based policies.
• Passwords can be checked for complexity and compliance through the built-in password policy enforcer feature, which contains dictionary rules, a pattern checker, and other complexity settings that are missing in Active Directory's domain password policy.

Sample command to change Active Directory password in PowerShell:

Set-ADAccountPassword –Identity JohnDoe –Reset –NewPassword (ConvertTo-SecureString -AsPlainText "NewPassword123!" -Force)

This cmdlet supports sAMAccountName, Distinguished Name, and GUID, making it more flexible than Dsmod. However, if you need to reset passwords in Active Directory for multiple users, scripts can quickly become complex.

Resetting Active Directory passwords using ADSelfService Plus

ManageEngine ADSelfService Plus, a unified SSPR, MFA, and SSO solution, empowers end users to reset passwords in Active Directory on their own. It employs secure multi-factor authentication methods, such as YubiKey Authenticator, Google Authenticator, and biometric authentication, to verify users’ identities before allowing them to reset passwords. Additionally:

• Users can reset their Active Directory passwords right from the login screen of their Windows, Linux, and macOS machines, as well as through their mobile devices using the ADSelfService Plus Android and iOS apps.
• Self-service password reset and account unlock can be enabled for all the users in the domain or for specific users by creating OU and group-based policies.
• Passwords can be checked for complexity and compliance through the built-in password policy enforcer feature, which contains dictionary rule, pattern checker, and other complexity settings that are missing in Active Directory's domain password policy.

To enable self-service password reset for Active Directory users using ADSelfService Plus:

1. Download and install ADSelfService Plus. Log in using administrative credentials.
2. Go to Configuration > Self-Service > Policy Configuration.
   

   Image 1. Self-service policy creation.

3. Select the Reset Password checkbox. Then, click Select OUs/Groups to select the users for whom you want to enable this feature.
4. Click Save Policy.
5. In the LHS, click Multi-Factor Authentication.
   

   Image 2. A list of the authenticators supported for self-service password reset in ADSelfService Plus.

6. Set up the necessary MFA methods.
7. Based on the methods you choose, users may need to provide the information required for that method to enroll. Go to Configuration > Administrative Tools > Quick Enrollment. You can automatically enroll users, send them a notification, or force them to enroll.
   

   Image 3. Enrollment methods in ADSelfService Plus.

Troubleshooting account lockout issues after password reset

If a user account remains locked after a password reset, another device or service is usually still using the old password.

Common causes

• Cached credentials on laptops or mobile devices.
• VPN, Outlook, or mapped drives using old passwords.
• Windows services or scheduled tasks.
• Active Directory replication delays.

Quick fixes

• Check Event ID 4740 on the PDC Emulator to identify the source device.
• Remove saved credentials from the affected system.
• Update passwords for services or scheduled tasks.
• Verify replication health.
• Unlock the account and test the sign in again.

Active Directory password reset best practices

• Enforce identity verification with MFA: Confirm personal details and strengthen the process with MFA, such as OTPs, push notifications, or biometrics.
• Enforce strong password policies: Block weak, common, or reused passwords and guide users with real-time strength checks.
• Clear session data after reset: Automatically log out idle sessions so that authenticated password reset sessions aren't misused.
• Provide confirmation notification: Send notifications for a successful password reset to alert users of any suspicious activity if the reset was not initiated by the user.
• Validate password strength in real time: Provide immediate feedback during password creation to help users create stronger passwords.
• Log password reset attempts: Audit all password reset requests for security monitoring, compliance, and quick detection of suspicious activity.

Change AD passwords using ADSelfService Plus

ADSelfService Plus provides a simple, secure way for users to change AD passwords without relying on the help desk. This is ideal when users know their current password and only need to update it before the password expires.

How to change a password in Active Directory using ADSelfService Plus

1. Complete the MFA flow and sign in to the ADSelfService Plus end-user portal.
2. Navigate to Change Password.
3. Enter your current Active Directory password and then the new password that meets the configured password policy.
4. Enter the new password and click Change Password to update the Active Directory password change instantly.

This method provides a secure, web-based alternative to the native method of changing Active Directory passwords by pressing Ctrl+Alt+Del and selecting Change Password, making it the a simple and secure way to change Active Directory passwords from any browser or device.

Benefits of changing Active Directory passwords via ADSelfService Plus

• Anytime, anywhere access: Users can perform an Active Directory change password operation from any browser or device.
• Reduces help desk load: Eliminates routine password-change tickets.
• Stronger security: The MFA-protected Active Directory password change portal and the custom password policies reduce risk.
• Remote-user friendly: This solution updates cached credentials so remote employees can sign in without VPN issues.
• Compliance-ready: Enforces password complexity, history, and custom rules across all change Active Directory password actions.