Using PowerShell to Reset Active Directory Passwords in Bulk

Home > Blogs > PowerShell > Using PowerShell to Reset Active Directory Passwords in Bulk

Using PowerShell to Reset Active Directory Passwords in Bulk

Like This Blog 7 Rick Trader
Added by September 19, 2014

See our complete Course Schedule for upcoming training.

Classes are held in Phoenix, AZ and can be attended online from anywhere in the world with RemoteLive™.

Instructor: Rick Trader

 Video Transcription:

Video Transcription:

One of the issues you might run into after using a bulk import tool into your Active Directory database is all your User Accounts come into the database with no passwords.

As a result of them coming into the database with no passwords, they’re going to be Disabled Accounts. In this short blog, I will show you how to reset all your user passwords in a specific OU along with enabling those accounts using Windows PowerShell.

First, let me show you the objects. In the Active Directory users and computers, specifically in a container called Propulsion and I have 50 User Objects.


These user objects were all imported using the CSVDE utility. They were a part of a comma delimited file. The file included items such as Distinguished Name, their Display Name, User Type, along with what Description they’re in and it also includes their Department.

Notice that every one of these objects are disabled? I’m going to use PowerShell to set each of these User Object Passwords or and also at the same time enable the account.

I could, if it was one or two accounts, right click on the account and choose reset password


and put in the user password and then do the next user and the next user and the next user.


After about an hour, hour and a half of resetting these 50 accounts, I’d be done.

One thing I do want you to notice is when I’m resetting the account there’s this notification called User must change password at next log on. I could either enable or disable that.


In this case, I’m going to leave it enabled with the PowerShell script.

But there is one of the attributes on one of the properties that we could set that would not require them to change their password. We’re going to put in a default password. Let’s go ahead and get started.

The first thing I’m going to do is launch my PowerShell prompt. If you’re using PowerShell v2, you’ll need to import the Active Directory module. If you’re using PowerShell v3 or v4, you will not have to import the module, but I’m going to go ahead and import it anyway.


The Active Directory module will be imported. This also when I actually run the command here in a few seconds, you won’t actually see it load the Active Directory module behind the scenes.


We’ve now loaded the Active Directory manifest. I’m going to go ahead and do a CD/, so I have more room to type.


PowerShell cannot pass a cleartext password to Active Directory.

I’m going to go ahead and set a variable for my password. I’m going to use the dollar sign $ and I’m going to call a PWD for my password = I’ll have it read my host and then I’m going to have it entered as a Secure String.


This way what’ll happen is it’ll convert my password that I’m going to type in to secure string. If I hit enter, it’s going to ask me for my password.


I’ll have to type in a password that meets the complexity requirements of Active Directory. Now, if I just do a $pwd to bring up the variable, notice it says my variable is a SecureString.


I’ll now be able to pass this into my Active Directory environment. I’m going clear the screen.

The next thing I want to do is I want to go get my AD-users. If I want to get a specific AD-user, I could get one account and I could type in here the account.


I’m going to do a filter. I want to find all the User Accounts that are Disabled inside the OU because it came in as a disabled account. I don’t want to be resetting passwords for user objects that were already enabled. So I’ll set Enabled is equal to false.


I also wanted to do a -SearchBase inside a specific OU. The OU will be Propulsion in a domain container USSHQ in the domain container local.


All I’m going to do here is I’m just going to hit enter and have it bring me back the results.

I want to make sure these are the use. I’m going to go ahead and run it and notice it brings up all my user objects.


Once it runs, I’m just going to go look and notice any one of the users. I have a user called Shaun Sparks. They’re not enabled. They’re user object and they are located in the proportion OU.


These are the users I want to reset the password for.

I always want to do this first. I want to make sure I’m resetting the appropriate User Object. I’m going to come in. I’m just going to up arrow once and now I’m going to pipe [ | ], so that as an object gets added in to the pipeline it’ll run the next command on here.


The command I’m going to run is Set‑ADAcountPassword and I’ll do a TAB complete and it eventually will work around AD account password.

Then, space and I’m going to put in a ‑NewPassword as the attribute, space.


My new password is dollar sign $PWD


That is the variable I just set. Then I want to do a -reset, so it resets the actual password. Now I’m going to do a –PassThru so it passes the object through to Active Directory.


At the same time, I want to enable the AD account. –enable‑adaccount, so that will enable the account.


All this will be done at one time. Now, if I wanted to do something like set a password that never expires, I could set that attribute.

If I wanted to set it for the user didn’t have to change their password at logon, there’s attribute for change password at logon. I would set that to false. I simply do this. I hit enter and it’s going through and “no news is good news”.

I minimize PowerShell. I’ll come back into my Propulsion OU, and refresh the OU.


Notice all of my User Accounts have just gone green. They’re all no longer disabled and all these User Accounts have been reset to a default password.

If I double-click on any account and I go and I look at the account profile, notice this check down here. The user doesn’t have to change their password, but they will because it was set that way when I reset the password.


Using PowerShell, I can actually reset hundreds and even thousands of accounts in a manner of minutes, instead of right-clicking each user and changing the data individually.


Until next time, write safe…
Rick Trader

Windows Server Instructor – Interface Technical Training 

Phoenix, AZ


Videos You May Like

Creating Users and Managing Passwords in Microsoft Office 365

0 642 3

In this Office 365 training video, instructor Spike Xavier demonstrates how to create users and manage passwords in Office 365.   For instructor-led Office 365 training classes, see our course schedulle: Spike Xavier SharePoint Instructor – Interface Technical Training Phoenix, AZ 20347: Enabling and Managing Office 365    

How to clone a Windows Server 2012 or 2012 R2 Domain Controller

3 1481 3

One of the coolest new features in Window Server 2012 and Windows Server 2012 R2 is the ability to clone a Domain Controller. In the past, if we had virtualized Domain Controllers and we actually took a snapshot of it and then rolled back to that snapshot, it would break the logon service on that … Continue reading How to clone a Windows Server 2012 or 2012 R2 Domain Controller

Detailed Forensic Investigation of Malware Infections – April 21, 2015

4 608 5

How does an investigator hunt down and identify unknown malware? In this recording of our IT Security training webinar on April 21, 2015, Security expert Mike Danseglio (CISSP / CEH) performed several malware investigations on infected computers and identify symptoms, find root cause, and follow the leads to determine what’s happening. He demonstrated his preferred … Continue reading Detailed Forensic Investigation of Malware Infections – April 21, 2015

Write a Comment

See what people are saying...

  1. Avatar Bill Sentience

    Real helpful putting the script snippets in images rather than copy-pastable text.

  2. Avatar NickyAdam

    what is the script for having the user change password at next logon in powershell

  3. Avatar Rick Trader

    Nikhil – If you know the OU for the user / users you are wanting to reset the passwords on just modify the -Searchbase parameter to the desired OU path. If you are resetting users in multiple OUs I would recommend you reset the users in each OU separately.

    If they are all disabled accounts you could filter for those accounts that are disabled across multiply OUs, you have to ensure that the accounts you are wanting to reset are the only disabled accounts if you are using this method.

    Hope this helps.


  4. Avatar Nikhil

    is it possible to reset password of user’s from different OU ??

  5. Avatar Suzette Ritchey

    Thanks so much. Great tutorial. I was sweating it! All fixed!

  6. Avatar Andrew

    Thanks for sharing. I also wrote an article that will compliment yours about the top Active Directory Powershell commands to use to manage your AD environment

  7. Avatar Ryan

    Nicely described procedure! Thanks for sharing this. I also share a useful resource If anyone wants to avoid the difficulties involved in resetting password through PowerShell.

Share your thoughts...

Please fill out the comment form below to post a reply.