Secure & Automated Password Reset with PowerShell Command
The PowerShell script given below can be used to automatically reset the passwords at regular intervals. ADSelfService Plus also offers an option that can be used to automatically reset domain user’s passwords when they expire. When this option is enabled, a scheduler runs at regular intervals to search for password expired user accounts and automatically resets the passwords. The new password is then mailed to the user. Here is a comparison between the automatic password reset using PowerShell and ADSelfService Plus:
PowerShell
Param (
[Parameter(Mandatory=$True)]
[String]$InputFile
)
Function MakeRandomPass {
Param (
[Int]$PLength
)
If ($PLength -LT 4) {Return $Null}
$Numbers = $Null
For ($A=48;$A -LE 57;$A++) {$Numbers+=,[Char][Byte]$A}
$UpCase = $Null
For ($A=65;$A -LE 90;$A++) {$UpCase+=,[Char][Byte]$A}
$LowCase = $Null
For ($A=97;$A -LE 122;$A++) {$LowCase+=,[Char][Byte]$A}
$SpChar = $Null
For ($A=33;$A -LE 47;$A++) {$SpChar+=,[Char][Byte]$A}
For ($A=58;$A -LE 64;$A++) {$SpChar+=,[Char][Byte]$A}
For ($A=123;$A -LE 126;$A++) {$SpChar+=,[Char][Byte]$A}
$Buffer = @()
For ($A=1;$A -LE $PLength;$A++) {$Buffer+=0}
While ($True) {
$NumChar = (Get-Random -Minimum 0 -Maximum $PLength)
If ($Buffer[$NumChar] -EQ 0) {$Buffer[$NumChar] = 1; break}
}
While ($True) {
$NumChar = (Get-Random -Minimum 0 -Maximum $PLength)
If ($Buffer[$NumChar] -EQ 0) {$Buffer[$NumChar] = 2; break}
}
While ($True) {
$NumChar = (Get-Random -Minimum 0 -Maximum $PLength)
If ($Buffer[$NumChar] -EQ 0) {$Buffer[$NumChar] = 3; break}
}
While ($True) {
$NumChar = (Get-Random -Minimum 0 -Maximum $PLength)
If ($Buffer[$NumChar] -EQ 0) {$Buffer[$NumChar] = 4; break}
}
$ThisPassword = $Null
ForEach ($CharType In $Buffer) {
If ($CharType -EQ 0) {
$CharType = ((1,2,3,4) | Get-Random)
}
Switch ($CharType) {
1 {$ThisPassword+=($Numbers | Get-Random)}
2 {$ThisPassword+=($UpCase | Get-Random)}
3 {$ThisPassword+=($LowCase | Get-Random)}
4 {$ThisPassword+=($SpChar | Get-Random)}
}
}
Return $ThisPassword
}
$ErrorActionPreference = "SilentlyContinue"
$T = Get-Date
If ($Error) {$Error.Clear()}
Write-Host "`n"
Write-Host "Working. Please wait"
Write-Host "`n"
$RepFile = $T -Replace " ", $Null
$RepFile = $RepFile -Replace ":", $Null
$RepFile = $RepFile -Replace "/", $Null
$RepFile = $RepFile -Replace "-", $Null
If (Test-Path "Report_$RepFile.txt") {
Remove-Item "Report_$RepFile.txt"
}
New-Item -Path "Report_$RepFile.txt" -Type File -Force -Value "REPORT: Reset Local User Account Password On Multiple Computers" | Out-Null
Add-Content "Report_$RepFile.txt" "`n"
Add-Content "Report_$RepFile.txt" "`n"
Add-Content "Report_$RepFile.txt" "Report Created On $T"
Add-Content "Report_$RepFile.txt"
Add-Content "Report_$RepFile.txt" "`n"
Import-CSV -Path $InputFile | ForEach-Object {
Try {
$ThisMachine = $_.ComputerName
$ThisAccount = $_.LocalAccountLoginID
If (!([string]::IsNullOrEmpty($ThisMachine)) -AND !([string]::IsNullOrEmpty($ThisAccount))) {
Write-Host "`tAttempting to reset the local account password in computer: $ThisMachine" -ForeGroundColor "Yellow"
$PassToSet = MakeRandomPass 20
$ThisUser = [ADSI]"WinNT://$ThisMachine/$ThisAccount, User"
$ThisUser.SetPassword($PassToSet)
$ThisUser.SetInfo()
If (!$Error) {
Add-Content "Report_$RepFile.txt" "$ThisMachine `t`t -- $ThisAccount `t`t -- $PassToSet `t`t --success: Password Has Been Reset/Changed."
}
}
}
Catch {
[System.Exception] | Out-Null
If ($Error) {
Add-Content "Report_$RepFile.txt" "$ThisMachine `t`t -- $ThisAccount `t`t -- Password Reset has failed. An Error Has Occurred."
Add-Content "Report_$RepFile.txt" $Error
$Error.Clear()
}
}
}
Write-Host "`n"
Write-Host "Task Completed. Check Report File: Report_$RepFile.txt"
Notepad "Report_$RepFile.txt"
Write-Host "`n"
ADSelfService Plus
- Go to Configuration > Policy Configuration.
- Create a new policy.
- Once the information required to create the policy is provided, click on Advanced, navigate to the Automation tab and select the Automatically resets domain user’s passwords when they expire checkbox.
- Specify the Frequency at which the scheduler should be run.
- Select the Upon automatic password reset, force users to change password at next logon checkbox if required.
- The Reset password to field can be set to Custom text or Password Policy (a random password generated based on the custom password policy).
- Move to Notification > Reset Password and enter the necessary details to notify users about their reset passwords.
- Click OK and in the Policy Configuration section, click Save.
- Quick configuration:
With ADSelfService Plus, automatic password reset can be enabled by a few clicks and entering minimal information. In PowerShell, this requires creating, debugging, and running scripts.
- Choose which users' passwords can be automatically reset:
When creating an ADSelfService policy, administrators can select the domain, OUs, and groups whose users can have their passwords automatically reset upon expiration. Using PowerShell to automate password resets for specific users will require creating an extensive script
- Prevent the creation of weak passwords:
ADSelfService Plus' Password Policy Enforcer allows administrators to create and enforce custom password policies that inhibit the creation of weak passwords. The passwords generated automatically can be chosen to comply with this custom password policy.
- Synchronize passwords with enterprise applications:
ADSelfService Plus' Password Synchronization feature, when enabled, automatically syncs the new password with the user's accounts in enterprise applications like G Suite and Salesforce.
- Audit report for passwords reset:
Captures all password reset operations including automated password resets in reports that can be easily generated with a single click and exported in various formats such as HTML, CSV, PDF, and XLS.
- Notify administrators:
Administrators are periodically sent a consolidated report that contains details on all the password reset operations.
Automatically reset Active Directory users' passwords.
Get 30-day free trial.
