When Active Directory users forget their domain passwords or let their passwords expire, it becomes the responsibility of the administrators to reset the passwords. Password-related requests are still one of the most common tickets received by the help desk so resetting passwords quickly and securely is important.
Accounts with “never to expire” passwords can create a potential security risk, as passwords should be regularly changed and updated to prevent accounts from being hacked or passwords being stolen. It is recommended that all user accounts, except that of a default Administrator, should not be set to “never to expire”.
In this guide, we will look at two native ways to reset passwords in Active Directory. These methods are using Active Directory Users and Computers Console (ADUC) and running a PowerShell script.
Using Active Directory Users and Computers Console (ADUC) to Reset Passwords
This option requires remote server administration tools (RSAT) installed on your local computer or a server. You can reset passwords from the domain controller (server running Active Directory) but it is not the preferred option.
- Open the Active Directory Users and Computers Console (ADUC)
- Navigate to your list of users:
- Right click on the user Account. This will display the following short cut menu:
- Select Reset Password. The following dialog box will be displayed:
Note that this dialog box will show you if the account is locked out
- Enter the new password and confirm the password
- If you want the user to change their password at the next logon then check the box “User must change password at next logon”
- Click OK
- A confirmation message saying that the password has been changed will be displayed. Click OK
Reset AD User Password using PowerShell
An alternative to using ADUC is to reset the user’s password using PowerShell. You will need the user’s logon name to identify the account to reset. The following examples show the username Neal Gamby. Substitute this for the username you require.
To reset the password use the following:
Set-ADAccountPassword -Identity neal.gamby -reset
You will be prompted to enter a new password.
To force the user to change the password at the next logon use the following:
Set-ADUser -Identity neal.gamby -ChangePasswordAtLogon $true
To check that the password has been reset use the following:
Get-ADUser neal.gamby -Properties * | select name, pass*
The above command will show the user’s PasswordLastSet date.
How Lepide Helps
A more straightforward solution to using the native methods is to use the Lepide Data Security Platform. The Lepide Solution includes Active Directory Self Service (ADSS) which allows tasks such as password resets to be delegated and the User Password Reset and Change Attempts Report which tracks all password changes. Both these options are explained below.
Using Lepide Active Directory Self Service (ADSS) for Password Resets
It is essential, where possible, that tasks such as password resets are automated to reduce the time taken for tasks such as these which do not add value to the business. The Lepide Active Directory Self Service is a simple web-based solution that will provide this automation as it allows you to delegate tasks such as password reset, and account unlocks. It also provides the ability to authorize co-workers to perform these tasks without having to call IT. Ultimately this solution makes it easier for the user, easier for the administrator, and easier for the whole organization to handle the task of updating Active Directory. For further information on Lepide ADSS, a video tutorial is available on our website.
Using Lepide Auditor to Track Password Changes and Resets
Lepide Auditor for Active Directory will provide visibility over all password changes and resets using the User Password Reset and Change Attempts Report. This is one of many pre-defined reports included in the Lepide Solution and an example is shown below:
The report includes information about the User Name of the account to be reset, Who reset it, When and What was changed. To run this report:
- Select Lepide Auditor, Reports
- From the list of reports, select the User Password Reset and Change Attempts Report
- Specify a date range if required
- Select Generate Report
The report is generated and can be filtered, sorted and exported to CSV and PDF formats
