Over the last few years, I have found myself in need of various scripts to handle the bulk resetting of passwords for users in Active Directory. This post contains the various scripts I have used to do this most mundane of tasks,
Method 1: Reset all users in an OU to the same password
This is by far the simplest method. Not overly useful, as there’s not usually a need for the same password on a whole OU of accounts! It is a simple DSQUERY piped to a DSMOD. It works in a command prompt.
|
1 |
DSQUERY user [LDAP OU path] –limit 0 | DSMOD user –pwd [new password] |
Method 2: Reset all users in an OU to a random password
This script uses PowerShell to randomly select a word from a CSV file, appends a number and then sets the user account to that password and notes it in an output CSV file. The word list is a single column spreadsheet of words, with a column header “Name”.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
Import-Module -Name ActiveDirectory $oubase = "ou=baseou,dc=server,dc=domain" $ou = "ou=subou,ou=users" $outputfile = "d:\Output\output.csv" $words = Import-Csv "d:\Input\words.csv" $fullou = $ou + "," + $oubase $Users = Get-ADUser -Filter * -SearchBase $fullou $results = @(foreach ($user in $Users) { $word = Get-Random $words $number = Get-Random -Minimum 10 -Maximum 99 $pw = $word.Name + $number $password = $pw Write-Host "Setting Password for User: " + $user.DistinguishedName New-Object -TypeName psobject -Property @{ User = $user.SamAccountName Password = $password } $secstring = ConvertTo-SecureString -String $password -AsPlainText -Force Set-ADAccountPassword -Identity $user.SamAccountName -NewPassword $secstring -Reset }) $results | Export-Csv -Path $outputfile -NoTypeInformation |
Method 3: Reset all users in a group to the same password
This script does the same as method 1, but aimed at a specific Active Directory Group instead of an OU. Again, limited usefulness for most people, as setting everyone to the same password has limited use if you’re being secure.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
Import-module ActiveDirectory $groupName = "Win2000 Group name" $Users = Get-ADGroupMember -Identity $groupName -recursive foreach ($User in $Users) { Write-Host "$($User.name) being reset" set-aduser $User -Enabled $true -ChangePasswordAtLogon:$true $secpassword = ConvertTo-SecureString -AsPlainText 'New password' -Force Set-ADAccountPassword $User -NewPassword $secpassword } |
Method 4: Resetting all users in a group to a random password
A mix of methods 2 and 3.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
Import-module ActiveDirectory $words = Import-Csv "D:\input\words.csv" $groupName = "Win2000 Group name" $outputfile = "d:\output\output.csv" $Users = Get-ADGroupMember -Identity $groupName -recursive $results = @(foreach ($User in $Users) { $word = Get-Random $words $number = Get-Random -Minimum 10 -Maximum 99 $pw = $word.Name + $number $password = $pw New-Object -TypeName psobject -Property @{ User = $user.SamAccountName Password = $password } Write-Host "$($User.name) being reset" set-aduser $User -Enabled $true -ChangePasswordAtLogon:$true $secpassword = ConvertTo-SecureString -AsPlainText $password -Force Set-ADAccountPassword $User -NewPassword $secpassword -Reset }) $results | Export-Csv -Path $outputfile -NoTypeInformation |
Be First to Comment