Home
PowerShell
Secure & Automated Password Reset with PowerShell Command

Secure & Automated Password Reset with PowerShell Command

The PowerShell script given below can be used to automatically reset the passwords at regular intervals. ADSelfService Plus also offers an option that can be used to automatically reset domain user’s passwords when they expire. When this option is enabled, a scheduler runs at regular intervals to search for password expired user accounts and automatically resets the passwords. The new password is then mailed to the user. Here is a comparison between the automatic password reset using PowerShell and ADSelfService Plus:

With PowerShell

 		   Param (

[Parameter(Mandatory=$True)]

[String]$InputFile



) Function MakeRandomPass {

Param (

[Int]$PLength

)

If ($PLength -LT 4) {Return $Null}

$Numbers = $Null

For ($A=48;$A -LE 57;$A++) {$Numbers+=,[Char][Byte]$A}

$UpCase = $Null

For ($A=65;$A -LE 90;$A++) {$UpCase+=,[Char][Byte]$A}

$LowCase = $Null

For ($A=97;$A -LE 122;$A++) {$LowCase+=,[Char][Byte]$A}

$SpChar = $Null

For ($A=33;$A -LE 47;$A++) {$SpChar+=,[Char][Byte]$A}

For ($A=58;$A -LE 64;$A++) {$SpChar+=,[Char][Byte]$A}

For ($A=123;$A -LE 126;$A++) {$SpChar+=,[Char][Byte]$A}



$Buffer = @()

For ($A=1;$A -LE $PLength;$A++) {$Buffer+=0}

While ($True) {

$NumChar = (Get-Random -Minimum 0 -Maximum $PLength)

If ($Buffer[$NumChar] -EQ 0) {$Buffer[$NumChar] = 1; break}

}

While ($True) {

$NumChar = (Get-Random -Minimum 0 -Maximum $PLength)

If ($Buffer[$NumChar] -EQ 0) {$Buffer[$NumChar] = 2; break}

}

While ($True) {

$NumChar = (Get-Random -Minimum 0 -Maximum $PLength)

If ($Buffer[$NumChar] -EQ 0) {$Buffer[$NumChar] = 3; break}

}

While ($True) {

$NumChar = (Get-Random -Minimum 0 -Maximum $PLength)

If ($Buffer[$NumChar] -EQ 0) {$Buffer[$NumChar] = 4; break}

}

$ThisPassword = $Null

ForEach ($CharType In $Buffer) {

If ($CharType -EQ 0) {

$CharType = ((1,2,3,4) | Get-Random)

}

Switch ($CharType) {

1 {$ThisPassword+=($Numbers | Get-Random)}

2 {$ThisPassword+=($UpCase | Get-Random)}

3 {$ThisPassword+=($LowCase | Get-Random)}

4 {$ThisPassword+=($SpChar | Get-Random)}

}

}

Return $ThisPassword

}



$ErrorActionPreference = "SilentlyContinue"

$T = Get-Date

If ($Error) {$Error.Clear()}

Write-Host "`n"

Write-Host "Working. Please wait"

Write-Host "`n"

$RepFile = $T -Replace " ", $Null

$RepFile = $RepFile -Replace ":", $Null

$RepFile = $RepFile -Replace "/", $Null

$RepFile = $RepFile -Replace "-", $Null

If (Test-Path "Report_$RepFile.txt") {

Remove-Item "Report_$RepFile.txt"

}

New-Item -Path "Report_$RepFile.txt" -Type File -Force -Value "REPORT: Reset Local User Account Password On Multiple Computers" | Out-Null

Add-Content "Report_$RepFile.txt" "`n"

Add-Content "Report_$RepFile.txt" "`n"

Add-Content "Report_$RepFile.txt" "Report Created On $T"

Add-Content "Report_$RepFile.txt" 

Add-Content "Report_$RepFile.txt" "`n"



Import-CSV -Path $InputFile | ForEach-Object {

Try {

$ThisMachine = $_.ComputerName

$ThisAccount = $_.LocalAccountLoginID

If (!([string]::IsNullOrEmpty($ThisMachine)) -AND !([string]::IsNullOrEmpty($ThisAccount))) {

Write-Host "`tAttempting to reset the  local account password in computer: $ThisMachine" -ForeGroundColor "Yellow"

$PassToSet = MakeRandomPass 20

$ThisUser = [ADSI]"WinNT://$ThisMachine/$ThisAccount, User"

$ThisUser.SetPassword($PassToSet)

$ThisUser.SetInfo()

If (!$Error) {                 Add-Content "Report_$RepFile.txt" "$ThisMachine `t`t -- $ThisAccount `t`t -- $PassToSet `t`t --success: Password Has Been Reset/Changed."

}

}       

}

Catch {

[System.Exception] | Out-Null

If ($Error) {

Add-Content "Report_$RepFile.txt" "$ThisMachine `t`t -- $ThisAccount `t`t -- Password Reset has failed. An Error Has Occurred."

Add-Content "Report_$RepFile.txt" $Error

$Error.Clear()

}

}

}

Write-Host "`n"

Write-Host "Task Completed. Check Report File: Report_$RepFile.txt"

Notepad "Report_$RepFile.txt"

Write-Host "`n"

With ADSelfService Plus

In ADSelfService Plus:

Go to Configuration > Policy Configuration.
Create a new policy.
Once the information required to create the policy is provided, click on Advanced, navigate to the Automation tab and select the Automatically resets domain user’s passwords when they expire checkbox.
Specify the Frequency at which the scheduler should be run.
Select the Upon automatic password reset, force users to change password at next logon checkbox if required.
The Reset password to field can be set to Custom text or Password Policy (a random password generated based on the custom password policy).
Move to Notification > Reset Password and enter the necessary details to notify users about their reset passwords.
Click OK and in the Policy Configuration section, click Save.

Advantages of ADSelfService Plus

Quick configuration: With ADSelfService Plus, automatic password reset can be enabled by a few clicks and entering minimal information. In PowerShell, this requires creating, debugging, and running scripts.
Choose which users' passwords can be automatically reset: When creating an ADSelfService policy, administrators can select the domain, OUs, and groups whose users can have their passwords automatically reset upon expiration. Using PowerShell to automate password resets for specific users will require creating an extensive script
Prevent the creation of weak passwords: ADSelfService Plus' Password Policy Enforcer allows administrators to create and enforce custom password policies that inhibit the creation of weak passwords. The passwords generated automatically can be chosen to comply with this custom password policy.
Synchronize passwords with enterprise applications: ADSelfService Plus' Password Synchronization feature, when enabled, automatically syncs the new password with the user's accounts in enterprise applications like G Suite and Salesforce.
Audit report for passwords reset: Captures all password reset operations including automated password resets in reports that can be easily generated with a single click and exported in various formats such as HTML, CSV, PDF, and XLS.
Notify administrators: Administrators are periodically sent a consolidated report that contains details on all the password reset operations.

Automating password reset using PowerShell

Step 1: Identify users needing a password reset

The script below lists users who haven’t changed passwords in 90 days.

$users = Get-ADUser -Filter {PasswordLastSet -lt (Get-Date).AddDays(-90)} -Properties PasswordLastSet

Step 2: Reset password for users

Run the script below to automatically reset passwords for all identified users. This resets passwords to NewPassword123.

foreach ($user in $users) {

$newPassword = ConvertTo-SecureString "NewPassword123!" -AsPlainText -Force

Set-ADAccountPassword -Identity $user.SamAccountName -NewPassword $newPassword -Reset

}

Step 3: Force users to change password at next login

Ensure users update their passwords with a prompt to set a new password at the next login.

foreach ($user in $users) {

Set-ADUser -Identity $user.SamAccountName -ChangePasswordAtLogon $true

}

Step 4: Notify users about their reset passwords

Send email alerts to users about the reset.

foreach ($user in $users) {

Send-MailMessage -To $user.EmailAddress -From "admin@yourdomain.com" -Subject "Password Reset" -Body "Your password has been reset. Please update it upon your next login."

}

FAQs

1. How can I reset a user's password using PowerShell?

Reset a user's password using the script below. Replace "NewPass@123" with the new password.

Set-ADAccountPassword -Identity username -NewPassword (ConvertTo-SecureString "NewPass@123" -AsPlainText -Force) -Reset

2. How do I force the user to change their password at the next login?

Force the user to change their password using the script below.

Set-ADUser -Identity username -ChangePasswordAtLogon $true

3. Can I reset passwords for multiple users in bulk?

Yes, use a CSV file and script automation to reset passwords for multiple users in bulk.

Automatically reset Active Directory users' passwords.

Try it now for free

Secure & Automated Password Reset with PowerShell Command

Advantages of ADSelfService Plus

Automating password reset using PowerShell

Step 1: Identify users needing a password reset

Step 2: Reset password for users

Step 3: Force users to change password at next login

Step 4: Notify users about their reset passwords

FAQs

1. How can I reset a user's password using PowerShell?

2. How do I force the user to change their password at the next login?

3. Can I reset passwords for multiple users in bulk?

Automatically reset Active Directory users' passwords.

ADSelfService Plus trusted by

A single pane of glass for complete self service password management

Related features:

Related Powershell Guides:

Secure & Automated Password Reset with PowerShell Command

Advantages of ADSelfService Plus

Automating password reset using PowerShell

Step 1: Identify users needing a password reset

Step 2: Reset password for users

Step 3: Force users to change password at next login

Step 4: Notify users about their reset passwords

FAQs

1. How can I reset a user's password using PowerShell?

2. How do I force the user to change their password at the next login?

3. Can I reset passwords for multiple users in bulk?

Automatically reset Active Directory users' passwords.

ADSelfService Plus trusted by

A single pane of glass for complete self service password management