Set-AdAccountPassword cmdlet in PowerShell reset the active directory account password. It modifies or changes the password for a user, computer, or service account in the active directory.
To change the user password in the Active Directory, use the Get-AdUser cmdlet to retrieve the aduser object and pass it through the pipeline to the Set-AdAccountPassword to set the user password in AD.
To reset the active directory computer password, use the Get-AdComputer cmdlet to find the computer object and pass it through the pipeline to the Set-AdAccountPassword to reset the computer password in AD.
Similarly, to modify the service account password, use the Get-AdServiceAccount cmdlet to retrieve the service account object and pass it through the pipeline to the Set-AdAccountPassword to change the service account password in AD.
In this article, we will discuss how to use the Set-AdAccountPassword to reset the active directory user, computer, or service account password.
Set-AdAccountPassword
Set-AdAccountPassword modifies the active directory account password.
Syntax
Set-ADAccountPassword [-WhatIf] [-Confirm] [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-Identity] <ADAccount> [-NewPassword <SecureString>] [-OldPassword <SecureString>] [-Partition <String>] [-PassThru] [-Reset] [-Server <String>] [<CommonParameters>]
Parameters
-Identity: Specifies the active directory account to modify. You can use a distinguished name, GUID, security identifier (SID), or SAMAccountname to identify the active directory account.
-NewPassword: Specifies a new password value to set for the active directory account. It is stored as an encrypted string.
-OldPassword: Specifies old or most recent password value. It is processed as an encrypted string.
-Server: Specifies the Active Directory Services instance to connect to.
Reset Active Directory User Password
You can reset the active directory user password using the Set-AdAccountPassword command.
Use the distinguished name of the aduser account to set the password for the user using Set-AdAccountPassword.
Set-ADAccountPassword -Identity 'CN=Gary Waugh,OU=SALES,DC=SHELLPRO,DC=LOCAL' -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "Shell@@1" -Force)
In the above PowerShell script, the Set-AdAccountPassword command uses the Identity parameter to specify a distinguished name for the aduser account.
It uses the Reset parameter to change the user password by providing the new password. It stores the new password as an encrypted string.
The output of the above script in Powershell sets the user password without the old password.
PowerShell Reset User Password using Set-AdAccountPassword
In PowerShell to set the user password, retrieve the aduser using the Get-AdUser cmdlet and pass it through the pipeline to the Set-AdAccountPassword to reset the user password.
# Get the aduser object using the Get-AdUser cmdlet $aduser =Get-AdUser -Identity 'CN=Gary Waugh,OU=SALES,DC=SHELLPRO,DC=LOCAL' # Reset aduser password using the Set-AdAccountPassword Set-ADAccountPassword $aduser -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "Shell@@1" -Force)
In the above PowerShell script, the Get-AdUser cmdlet uses the Identity parameter to specify the distinguished name and retrieve the aduser object.
The Set-AdAccountPassword uses the aduser object and uses the Reset parameter to change the user password with a new password.
Reset Multiple AdUsers Password in PowerShell
You can use the Get-AdUser cmdlet in PowerShell to get multiple adusers based on specified search criteria and pass it through the pipeline to the Set-AdAccountPassword command to set the password for multiple adusers in Active Directory.
get-aduser -filter "department -eq 'Human Resource' -AND enabled -eq 'True'" | Set-ADAccountPassword -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "Shel@123" -Force)
In the above PowerShell script, the Get-AdUser cmdlet uses the Filter parameter to search for the user from the Human Resource department and has enabled status.
It passes aduser objects to the Set-AdAccountPassword to reset the user password.
Fix for Set-AdAccountPassword: Access is Denied
While trying to reset the active directory account password using the Set-AdAccountPassword command, gets the access denied error as given below.
PS C:\> Set-ADAccountPassword -Identity 'CN=Gary Waugh,OU=SALES,DC=SHELLPRO,DC=LOCAL' -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "Shell@1" -Force)
Set-ADAccountPassword : Access is denied
At line:1 char:1
+ Set-ADAccountPassword -Identity 'CN=Gary Waugh,OU=SALES,DC=SHELLPRO,D ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (CN=Gary Waugh,O...ELLPRO,DC=LOCAL:ADAccount) [Set-ADAc
countPassword], UnauthorizedAccessException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.UnauthorizedAccessException,Microsoft.Active
Directory.Management.Commands.SetADAccountPassword
PS C:\>
The solution to fix the Set-AdAccountPassword: Access Denied issue is to open the PowerShell terminal with the Run as Administrator option.
You might be using the admin domain account however you need to open the PowerShell terminal with the administrator rights to execute the command.
FAQ
If the active directory module is not installed or not imported, while running the Set-AdAccountPassword cmdlet to set the user password in PowerShell, it throws the error “Set-AdAccountPassword : The term 'Set-AdAccountPassword' is not recognized as the name of a cmdlet, function,
“
Install the Active Directory module and import it.
Conclusion
I hope the above article on how to use the Set-AdAccountPassword to modify the active directory account password is helpful to you.
You can find more topics about PowerShell Active Directory commands and PowerShell basics on the ShellGeek home page.