11

Joe Brown is on the phone. He is locked out of Windows because he has forgotten his password. We could reset his password via Active Directory Users and Computers, but ADUC is very annoyingly clicky.

Of course, it's also possible to unlock Joe Brown's account and reset his password to "33Foo$bars" via NET USER:

net user jbrown 33Foo$bars /domain /active:yes

Unfortunately, the flag requiring him to choose a new password is not set by this command. We, being enlightened administrators, do not want to know any user's permanent password at any time.

Does anyone have an efficient command-line method to unlock/reset and require a password change, using native Windows tools (including PowerShell or VBScript if necessary) but no 3rd-party binaries?

Context: Windows Server 2008 domain.

Skyhawk
  • 14,149
  • 3
  • 52
  • 95

4 Answers4

13

The binary 'dsmod' (comes with Win7 and Vista, and somewhere along the way XP got them too) should do what you want.

dsmod user UserDN -pwd $Password -mustchpwd yes

It can do a lot more as well! Very useful tool.

There are a couple of other tools along side that one that are quite useful as well. dsquery searches AD from command-line. dsget pulls attributes from objects. dsadd allows creating objects (and users!). Definitely worth a look for any scripter.

sysadmin1138
  • 131,083
  • 18
  • 173
  • 296
2

Untested, but I've done stuff like this before with DSMod user

dsquery user -samid username | dsmod.exe user -pwd <Password> -mustchpwd yes -disabled no

/edited - includes the good suggestion to prepend with dsquery to let you look up the samid (login) instead of the UDN.

mfinni
  • 35,711
  • 3
  • 50
  • 86
0

To reset a user's password and force password change:

dsmod user "CN=John Doe,CN=Users,DC=microsoft,DC=com" -pwd A1b2C3d4 -mustchpwd yes
gWaldo
  • 11,887
  • 8
  • 41
  • 68
0

This just worked for me on my Win7 box.

net user *username* *password*/domain ACTIVE:Yes /logonpasswordchg:yes
Scott Pack
  • 14,717
  • 10
  • 51
  • 83
LucMaN
  • 1