Active Directory Issues

Active Directory Issues » Ways to reset Active Directory Password

Ways to reset Active Directory Password

When Active Directory users forget their domain passwords or let their passwords expire, it becomes the admins’ burden to reset the passwords. Password-related help desk tickets are still one of the most common tickets received by the help desk. Resetting passwords quickly and securely is important. There are multiple methods through which admins can reset a user’s password. They are:

  • Active Directory Users and Computers (ADUC) console
  • DSMOD command-line tool
  • PowerShell script
  • Third-party Active Directory password management tools

In this article, we will see how to use these methods to reset Active Directory passwords and which method is best suited.

Before you begin

Irrespective of the method you use, it is important that you have sufficient permissions in Active Directory to reset users’ passwords. You must either be part of the Domain Admins group or at the least be a member of Account Operations security group in Active Directory. If you are delegating the reset password tasks to help desk technicians, you can use the OU delegation feature in AD to assign reset password permission.

Resetting passwords through ADUC console

Note: If you don’t have access to the domain controller, make sure you install the Remote Server Administration Tools (RSAT) and enable the ADUC MMC snap-in.

  1. Log in to a domain-connected computer and open the Active Directory Users and Computers console.
  2. Find the user account whose password you want to reset.
  3. In the right pane, right-click on the user account and select Reset Password.
  4. Type the new password and enter it again to confirm.

Using ADUC, you can select multiple user accounts and then set a common password for the selected users. However, you can only select users in a single organizational unit and only a common password can be set for the selected users.

Resetting passwords using Dsmod command line

The Directory Service Modification (Dsmod) tool is a command-line tool that can be used in Windows Server 2003 to Windows Server 2012 to modify directory service objects. It is available if you have the Active Directory Domain Services (AD DS) server role installed. Although, PowerShell has replaced Dsmod, it is still a great tool for modifying user account properties including resetting passwords.

To use Dsmod, you must run the Dsmod command from an elevated Command Prompt. To open an elevated Command Prompt, click Start, right-click Command Prompt, and then click Run as administrator.

To reset the password for John Doe and force him to change his password when he next logs on to the network, type:

DSMOD user "CN=John Doe,CN=Users,DC=mydomain,DC=Com" -pwd A1b2C3d4 -mustchpwd yes

While this command seems simple enough, you need to provide the distinguished name of the user. Dsmod commands don’t accept sAMAccountName. Further, resetting passwords of multiple user accounts would make the command more complex and error prone.

Resetting passwords using PowerShell cmdlets

The Set-ADAccountPassword PowerShell cmdlet can be used to perform password reset operations. This cmdlet provides the “-Identity” parameter, which can accept sAMAccountName of a user account apart from accepting Distinguished Name and user object GUID. To reset the password for a single user account, execute the PowerShell command below:

Set-ADAccountPassword –Identity JohnDoe –Reset –NewPassword (ConvertTo-SecureString -AsPlainText "ThisPassword001" -Force)

While PowerShell scripts are a great way to reset a user’s password, the script would get too complex if you want to reset passwords of multiple users.

Resetting passwords using ADSelfService Plus

ADSelfService Plus, an integrated Active Directory self-service password management and single sign-on solution, empowers end users to reset passwords on their own. It employs secure authentication methods, such as YubiKey Authenticator, Google Authenticator, and biometric authentication, to verify users’ identities before allowing them to reset passwords. There’s more:

  • Users can reset their Active Directory passwords right from the login screen of their Windows, Linux, and macOS machines, as well as through their mobile devices using the ADSelfService Plus Android and iOS apps.
  • Self-service password reset and account unlock can be enabled for all the users in the domain or for specific users by creating OU and group-based policies.
  • Passwords can be checked for complexity and compliance through the built-in password policy enhancer feature which contains dictionary rule, pattern checker, and other complexity settings that are missing in AD domain password policy.

To enable self-service password reset for Active Directory users using ADSelfService Plus:

  1. Download and install ADSelfService Plus.
  2. Log in using admin credentials.
  3. Note: By default, both the username and passwords for ADSelfervice Plus is admin.

  4. You’ll be asked to configure your AD domain. For authentication, make sure you provide an account that has reset password privilege in Active Directory.
  5. Go to Configuration > Self-Service > Policy Configuration.
  6. Ways to reset Active Directory Password
  7. Select the Reset Password checkbox. Then, click Select OUs/Groups to select the users to whom you want to enable this feature.
  8. Click Save Policy.
  9. Click Multi-Factor Authentication (below Policy Configuration menu).
  10. Ways to reset Active Directory Password
  11. Set up the necessary multi-factor authentication methods. Based on the methods you choose, users may need to provide the information required for that method in a process called enrollment.
  12. Now enroll users by going to Configuration > Administrative Tools > Quick Enrollment. You can automatically enroll users, send them a notification, or force them to enroll.
  13. Ways to reset Active Directory Password

That’s it! Once users are enrolled, they can reset their passwords, without contacting the help desk.

Simplify password management with ADSelfService Plus.

  • Please enter a business email id
  •  
  •  
    By clicking 'Get Your Free Trial', you agree to processing of personal data according to the Privacy Policy.

Thanks!

Your download is in progress and it will be completed in just a few seconds!
If you face any issues, download manually here

Self-service password management and single sign-on solution

ManageEngine ADSelfService Plus is an integrated self-service password management and single sign-on solution for Active Directory and cloud apps. Ensure endpoint security with stringent authentication controls including biometrics and advanced password policy controls.