Active Directory: Bulk User Password Reset by PowerShell


If you need to reset password for bulk number of user accounts, the following PowerShell scripts is for you.

This first script requires an file with usernames listed one per line. Check the UserList.txt file location in this file. Change your favorite password in ConvertTo-SecureString cmdlet in this script. Then you are good go.

#
# Script: ResetPwd.ps1
# Description: Reset the password for bulk number of users, and
# set the property to change passwrod required at next logon
#
# Written by: Anand Venkatachalapathy
#

Import-Module ActiveDirectory

# Set the default password
$password = ConvertTo-SecureString -AsPlainText “AwesomeP@ssw0rd” -Force
 
# Get the list of accounts from the file on file
# List the user names one per line
$users = Get-Content -Path c:\MyScripts\UserList.txt
 
ForEach ($user in $users)
{
    # Set the default password for the current account
    Get-ADUser $user | Set-ADAccountPassword -NewPassword $password -Reset
   
    #If you need to set the property “Change password at next logon”,
    #leave the next alone. If not, comment the next line
    Get-ADUser $user | Set-AdUser -ChangePasswordAtLogon $true
   
    Write-Host “Password has been reset for the user: $user”
}

# ————- End ———–

This second script does bulk password changes for similar named user accounts. e.g., TestUser001 to Testuser100. Change your own password and user account name in the filter.

#
# Script: ResetPwd.ps1
# Description: Reset the password for bulk number of users, and 
# set the property to change password required at next logon
#
# Written by: Anand Venkatachalapathy
#

Import-Module ActiveDirectory

# Set the default password
$password = ConvertTo-SecureString -AsPlainText "AwesomeP@ssw0rd" -Force    # Set the default password for all users named TestUserXX 
# e.g.,TestUser001 to TestUser100
Get-ADUser -Filter { SAMAccountName -like "*TestUser*"} `
| Set-ADAccountPassword -NewPassword $password -Reset
    
#If you need to set the property "Change password at next logon", 
#leave the next alone. If not, comment the next line
Get-ADUser -Filter { SAMAccountName -like "*TestUser*"} `
| Set-AdUser -ChangePasswordAtLogon $true
    

# ------------- End -----------
Advertisements

6 thoughts on “Active Directory: Bulk User Password Reset by PowerShell

  1. Anand,
    Thanks for the script, I would love to get this working. The script errors when run.
    The pw.txt file contains one user name for testing.
    I am new to powershell could you assist?

    Thanks

    Sophie

    PS C:\Users\administrator.ACME> $password = ConvertTo-SecureString -AsPlainText “Password99” -Force

    PS C:\Users\administrator.ACME> $users = Get-Content -Path c:\q\pwstuff\pw.txt

    PS C:\Users\administrator.ACME> ForEach ($user in $users) {Get-ADUser $user | Set-ADAccountPassword -NewPassword $password -Reset}
    Get-ADUser : Cannot validate argument on parameter ‘Identity’. The Identity property on the argument is null or empty.
    At line:1 char:39
    + ForEach ($user in $users) {Get-ADUser $user | Set-ADAccountPassword -NewPassword …
    + ~~~~~
    + CategoryInfo : InvalidData: (:) [Get-ADUser], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.GetADUser

    PS C:\Users\administrator.ACME>

  2. Anand,
    Thanks for posting the script, but it errors when run. I am new to powershell, could you help please?

    many thanks

    Sophie

    The text file contains 1 user for testing.
    The error message is as follows:-
    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    PS C:\Users\administrator.ACME> $password = ConvertTo-SecureString -AsPlainText “Password99” -Force

    PS C:\Users\administrator.ACME> $users = Get-Content -Path c:\q\pwstuff\pw.txt

    PS C:\Users\administrator.ACME> ForEach ($user in $users) {Get-ADUser $user | Set-ADAccountPassword -NewPassword $password -Reset}
    Get-ADUser : Cannot validate argument on parameter ‘Identity’. The Identity property on the argument is null or empty.
    At line:1 char:39
    + ForEach ($user in $users) {Get-ADUser $user | Set-ADAccountPassword -NewPassword …
    + ~~~~~
    + CategoryInfo : InvalidData: (:) [Get-ADUser], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.GetADUser
    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

  3. Guys,

    I have an excel spreadsheet that has 150 entries of domainname\username. I saved the spreadsheet as a *.csv file called TestCConnAccountstobeReset.csv. I copy past the script w/some the adjustment of the file name, location, and password. I am logged on the company’s main domain, but the accounts are on another domain. In AD, I have located the accounts and verified they are in the other domain, and not in my domain, but the error message below for each account. I know that either I need to change or set the domain that the accounts are located on, but unsure exactly how to do that. I will make some attempts to fix this myself while I wait for suggested solutions. Thanks.
    Script
    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    #
    # Script: ResetPwd.ps1
    # Description: Reset the password for bulk number of users, and
    # set the property to change passwrod required at next logon
    #
    # Written by: Anand Venkatachalapathy
    #

    Import-Module ActiveDirectory

    # Set the default password
    $password = ConvertTo-SecureString -AsPlainText “Welcome1” -Force

    # Get the list of accounts from the file on file
    # List the user names one per line
    $users = Get-Content -Path C:\Users\james-norwood\Documents\TestCConnAccountstobeReset.csv

    ForEach ($user in $users)
    {
    # Set the default password for the current account
    Get-ADUser $user | Set-ADAccountPassword -NewPassword $password -Reset

    #If you need to set the property “Change password at next logon”,
    #leave the next alone. If not, comment the next line
    Get-ADUser $user | Set-AdUser -ChangePasswordAtLogon $true

    Write-Host “Password has been reset for the user: $user”
    }

    # ————- End ———–
    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    ERROR/PROBLEMS
    Get-ADUser : Cannot find an object with identity: ‘domainname\username’ under: ‘DC=domainname,DC=com’.
    At C:\Users\myname\Documents\Scripts\AD_BulkUsersPasswdResetforFile.ps1:25 char:5
    + Get-ADUser $user | Set-AdUser -ChangePasswordAtLogon $true
    + ~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (domainname\username) [Get-ADUser], ADIdentityNotFoundException
    + FullyQualifiedErrorId : Cannot find an object with identity: ‘domainname\username’ under ‘DC=domainname,DC=com’.,Microsoft.ActiveDirectory.Management.Commands.GetADUser
    +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    Suggested Solution
    # Set the Domain
    $domain = Get-ADDomain domainname.com
    $domain.ManagedBy = myusername #On domainname
    Set-ADDomain -Instance $domain
    +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    Final Script with Solution
    #
    # Script: ResetPwd.ps1
    # Modified: AD_BulkUsersPasswdResetforFile.ps1
    # Description: Reset the password for bulk number of users, and
    # set the property to change passwrod required at next logon
    #
    # Written by: Anand Venkatachalapathy
    #

    Import-Module ActiveDirectory

    # Set the Domain
    $domain = Get-ADDomain domainname.com
    $domain.ManagedBy = myusername #On Domain
    Set-ADDomain -Instance $domain

    # Set the default password
    $password = ConvertTo-SecureString -AsPlainText “Welcome1” -Force

    # Get the list of accounts from the file on file
    # List the user names one per line
    $users = Get-Content -Path C:\Users\myname\Documents\TestCConnAccountstobeReset.csv

    ForEach ($user in $users)
    {
    # Set the default password for the current account
    Get-ADUser $user | Set-ADAccountPassword -NewPassword $password -Reset

    #If you need to set the property “Change password at next logon”,
    #leave the next alone. If not, comment the next line
    Get-ADUser $user | Set-AdUser -ChangePasswordAtLogon $true
    }

    # ————- End ———–

  4. Great, thanks for sharing the helpful script, I tried this Active Directory Self Service tool ( http://www.lepide.com/active-directory-self-service/ ) which allows to reset self active directory password, unlock locked account from any remote place and keep active directory updated with latest personal details. It sends an email notifications to users in bulk and recovers lost or forgotten password of account without help desk call.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s