Mass AD password reset

Resetting the AD password for multiple accounts

Craig Medland avatar
Written by Craig Medland
Updated over a week ago

Bulk password reset using a pre-configured script

If you need to reset the password for your users and have them all be randomly generated, you can run the following powershell script from a domain controller to get the task done:

import-module activedirectory

$ouname = read-host -prompt 'Name of the OU where your users are'
$oupath = (get-adorganizationalunit -filter "name -like '$ouname'").distinguishedname
$filepath = "$env:USERPROFILE\Desktop"

#Required Assembly to Generate Passwords
Add-Type -Assembly System.Web
$date = (get-date -f yyyy-MM-dd-hh-mm-ss)
$users = get-aduser -filter * -SearchBase $oupath -properties * -SearchScope OneLevel

foreach($Name in $users.samaccountname){
$NewPassword=[Web.Security.Membership]::GeneratePassword(8,1)

Set-ADAccountPassword -Identity $Name -Reset -NewPassword (ConvertTo-SecureString -AsPlainText $NewPassword -Force)
Get-ADUser -Identity $Name |Set-ADUser -ChangePasswordAtLogon:$true

Write-Output "UserID:$name `t Password:$NewPassword" `n`n|FT -AutoSize| sort-object UserID >> $filepath\NewPass$date.txt
}

Read-Host "File NewPass$date.txt with the user list and their new passwords has been saved to your desktop. Please press any key to exit..."
$x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") 


Copy and paste the code above and save it to a .ps1 file. Run it from a domain controller or any server with the appropriate AD management tools install. The script will reset all of the passwords with randomly generated passwords for all users in a specified OU and save a text file with the information on the desktop of the person running it.

Bulk password reset using Powershell and a .csv file

If you need to reset the password for multiple or all of your users, you can use a simple powershell script and a csv file with the user names to accomplish the task. This guide will show you how to create the csv file of all the users in an OU (organizational unit) using powershell and how to use that csv file with powershell to reset all passwords.

Generating the CSV

If you only want to reset the password of a few users you can still use this method but you would need to create the csv manually or edit the file generated with the following method. Start by logging into your domain controller or bastion host and launch powershell as an admin. Once powershell is open run the following command:

Import-module Activedirectory

After the AD module loads, run the following command to generate the csv file with all of the users in a specific OU:

Get-Aduser -filter * -searchbase "OU=itc-users,DC=itopiacloud,DC=com" -properties * | select-object samaccountname | export-csv -notype <"path where to save the .csv file">

The command above does the following:

  1. Gets all of the users in the itc-users OU in the itopiacloud.com domain. Replace this with the distinguished name for the OU in which your users are located. How to obtain the distinguished name of an OU is shown below.

  2. It only selects the samaccount property for the export to make the list of users as simple as possible

  3. Exports that simplified list of users to a csv called userexport.csv located on the Administrators desktop

The OU, location and csv file name are all based on your domain so these fields would all have different values in your script. To obtain the distinguished name of your OU's you can run the following powershell command:

Get-ADOrganizationalUnit -Filter 'Name -like "*"' | Format-Table Name, DistinguishedName

Resetting the user password with a default value

For an explanation on what the script does please continue reading. If you just want the script please check out the example below.

There are two options when resetting the password for users in this guide, the first one is to set the same password for all users. The second option is to set a password per user; more on that later.

The following script will import all of the users from the csv file you exported in the first part of the guide and set a default password of your choosing to all of the users. The script would look something like this:

$passwd = ConvertTo-SecureString -string <"a password"> -AsPlainText -Force

import-csv -path <"path where the .csv file was saved"> | foreach-object {

$samaccountname = $_."samaccountname"

set-adaccountpassword -identity $samaccountname -newpassword $passwd -reset

write-host "AD Password has been reset for: "$samaccountname
}

The script above does the following:

  1. Creates a variable for the default password you want to set for all users. If you have a $ in the password please make sure to replace the "" for '' or escape the $ with a backtick `; that will allow the $ to be read as part of the password and not as the start of a variable.

  2. After creating the password variable the script imports all of the data from the csv you created in the first part of the guide.

  3. After importing the data from the csv file the script will perform multiple operations for each user/object found in the csv. This is done through the foreach-object cmdlet.

  4. The script will now start running on a per user/object basis and the first thing it will do is to create a variable for the "samaccountname" column in the csv. When you created the csv in the first step, the only column created was the samaccountname column with all of the users username.

  5. After creating the variable for the username it will then start resetting the users AD password using the two previous variables, the password variable and the samaccount/username variable.

  6. The last step is a confirmation that the AD password was reset for the user.

Resetting the user password with individual passwords per user

For an explanation on what the script does please continue reading. If you just want the script please check the example below and read the second paragraph.

The second option when resetting bulk AD passwords is to give each user a different password. This is accomplished by modifying the csv file you created at the start of the guide and then running a similar script to the one in the previous step.

Start by opening the csv file and adding the word "password" to the first cell in the second column. Once that's done just start filling in the password for each user in the csv. Please keep in mind any password policies you may have in the domain. Once you finish filling in the password column per user save the file and close it.

With the newly updated csv file, you can now run the following script to reset each users password to the password you set for them in the csv. The script will contain the following:

import-csv -path <"path where the .csv file was saved"> | foreach-object {

$samaccountname = $_."samaccountname"

set-adaccountpassword -identity $samaccountname -newpassword (convertto-securestring $_."password" -asplaintext -force) -reset

write-host "AD Password has been reset for: "$samaccountname
}

The script above does the following:

  1. The script imports all of the data from the csv you created in the first part of the guide.

  2. After importing the data from the csv file the script will perform multiple operations for each user/object found in the csv. This is done through the foreach-object cmdlet.

  3. The first thing the script will do is to create a variable for the "samaccountname" column in the csv. When you created the csv in the first step, the only column created was the samaccountname column with all of the users username.

  4. After creating the variable for the username it will then start resetting the users AD password using the password column by referencing the password column in the csv file and matching it to the user/object in the samaccountname column.

  5. The last step is a confirmation that the AD password was reset for the user.

Did this answer your question?