Using PowerShell to Reset Active Directory Passwords in Bulk
Using PowerShell to Reset Active Directory Passwords in Bulk
See our complete Course Schedule for upcoming training.
Classes are held in Phoenix, AZ and can be attended online from anywhere in the world with RemoteLive™.
Instructor: Rick Trader
One of the issues you might run into after using a bulk import tool into your Active Directory database is all your User Accounts come into the database with no passwords.
As a result of them coming into the database with no passwords, they’re going to be Disabled Accounts. In this short blog, I will show you how to reset all your user passwords in a specific OU along with enabling those accounts using Windows PowerShell.
First, let me show you the objects. In the Active Directory users and computers, specifically in a container called Propulsion and I have 50 User Objects.
These user objects were all imported using the CSVDE utility. They were a part of a comma delimited file. The file included items such as Distinguished Name, their Display Name, User Type, along with what Description they’re in and it also includes their Department.
Notice that every one of these objects are disabled? I’m going to use PowerShell to set each of these User Object Passwords or and also at the same time enable the account.
I could, if it was one or two accounts, right click on the account and choose reset password
and put in the user password and then do the next user and the next user and the next user.
After about an hour, hour and a half of resetting these 50 accounts, I’d be done.
One thing I do want you to notice is when I’m resetting the account there’s this notification called User must change password at next log on. I could either enable or disable that.
In this case, I’m going to leave it enabled with the PowerShell script.
But there is one of the attributes on one of the properties that we could set that would not require them to change their password. We’re going to put in a default password. Let’s go ahead and get started.
The first thing I’m going to do is launch my PowerShell prompt. If you’re using PowerShell v2, you’ll need to import the Active Directory module. If you’re using PowerShell v3 or v4, you will not have to import the module, but I’m going to go ahead and import it anyway.
The Active Directory module will be imported. This also when I actually run the command here in a few seconds, you won’t actually see it load the Active Directory module behind the scenes.
We’ve now loaded the Active Directory manifest. I’m going to go ahead and do a CD/, so I have more room to type.
PowerShell cannot pass a cleartext password to Active Directory.
I’m going to go ahead and set a variable for my password. I’m going to use the dollar sign $ and I’m going to call a PWD for my password = I’ll have it read my host and then I’m going to have it entered as a Secure String.
This way what’ll happen is it’ll convert my password that I’m going to type in to secure string. If I hit enter, it’s going to ask me for my password.
I’ll have to type in a password that meets the complexity requirements of Active Directory. Now, if I just do a $pwd to bring up the variable, notice it says my variable is a SecureString.
I’ll now be able to pass this into my Active Directory environment. I’m going clear the screen.
The next thing I want to do is I want to go get my AD-users. If I want to get a specific AD-user, I could get one account and I could type in here the account.
I’m going to do a filter. I want to find all the User Accounts that are Disabled inside the OU because it came in as a disabled account. I don’t want to be resetting passwords for user objects that were already enabled. So I’ll set Enabled is equal to false.
I also wanted to do a -SearchBase inside a specific OU. The OU will be Propulsion in a domain container USSHQ in the domain container local.
All I’m going to do here is I’m just going to hit enter and have it bring me back the results.
I want to make sure these are the use. I’m going to go ahead and run it and notice it brings up all my user objects.
Once it runs, I’m just going to go look and notice any one of the users. I have a user called Shaun Sparks. They’re not enabled. They’re user object and they are located in the proportion OU.
These are the users I want to reset the password for.
I always want to do this first. I want to make sure I’m resetting the appropriate User Object. I’m going to come in. I’m just going to up arrow once and now I’m going to pipe [ | ], so that as an object gets added in to the pipeline it’ll run the next command on here.
The command I’m going to run is Set‑ADAcountPassword and I’ll do a TAB complete and it eventually will work around AD account password.
Then, space and I’m going to put in a ‑NewPassword as the attribute, space.
My new password is dollar sign $PWD
That is the variable I just set. Then I want to do a -reset, so it resets the actual password. Now I’m going to do a –PassThru so it passes the object through to Active Directory.
At the same time, I want to enable the AD account. –enable‑adaccount, so that will enable the account.
All this will be done at one time. Now, if I wanted to do something like set a password that never expires, I could set that attribute.
If I wanted to set it for the user didn’t have to change their password at logon, there’s attribute for change password at logon. I would set that to false. I simply do this. I hit enter and it’s going through and “no news is good news”.
I minimize PowerShell. I’ll come back into my Propulsion OU, and refresh the OU.
Notice all of my User Accounts have just gone green. They’re all no longer disabled and all these User Accounts have been reset to a default password.
If I double-click on any account and I go and I look at the account profile, notice this check down here. The user doesn’t have to change their password, but they will because it was set that way when I reset the password.
Using PowerShell, I can actually reset hundreds and even thousands of accounts in a manner of minutes, instead of right-clicking each user and changing the data individually.
Until next time, write safe…
Windows Server Instructor – Interface Technical Training
You May Also Like
-enable adaccount, $pwd, Active Directory, Active Directory module, Bulk password resetting, CSVDE utility, Disabled Accounts, NewPassword, Organization Units, OU, Powershell, Reset Active Directory Passwords, SecureString, Set ADAcountPassword, User Object Passwords
In this Office 365 training video, instructor Spike Xavier demonstrates how to create users and manage passwords in Office 365. For instructor-led Office 365 training classes, see our course schedulle: Spike Xavier SharePoint Instructor – Interface Technical Training Phoenix, AZ 20347: Enabling and Managing Office 365
One of the coolest new features in Window Server 2012 and Windows Server 2012 R2 is the ability to clone a Domain Controller. In the past, if we had virtualized Domain Controllers and we actually took a snapshot of it and then rolled back to that snapshot, it would break the logon service on that … Continue reading How to clone a Windows Server 2012 or 2012 R2 Domain Controller
How does an investigator hunt down and identify unknown malware? In this recording of our IT Security training webinar on April 21, 2015, Security expert Mike Danseglio (CISSP / CEH) performed several malware investigations on infected computers and identify symptoms, find root cause, and follow the leads to determine what’s happening. He demonstrated his preferred … Continue reading Detailed Forensic Investigation of Malware Infections – April 21, 2015