Unlock Windows AD account & assign *temporary* password via command line?
Solution 1
The binary 'dsmod' (comes with Win7 and Vista, and somewhere along the way XP got them too) should do what you want.
dsmod user UserDN -pwd $Password -mustchpwd yes
It can do a lot more as well! Very useful tool.
There are a couple of other tools along side that one that are quite useful as well. dsquery
searches AD from command-line. dsget
pulls attributes from objects. dsadd
allows creating objects (and users!). Definitely worth a look for any scripter.
Solution 2
Untested, but I've done stuff like this before with DSMod user
dsquery user -samid username | dsmod.exe user -pwd <Password> -mustchpwd yes -disabled no
/edited - includes the good suggestion to prepend with dsquery to let you look up the samid (login) instead of the UDN.
Related videos on Youtube
Hecter
Updated on September 17, 2022Comments
-
Hecter over 1 year
Joe Brown is on the phone. He is locked out of Windows because he has forgotten his password. We could reset his password via Active Directory Users and Computers, but ADUC is very annoyingly clicky.
Of course, it's also possible to unlock Joe Brown's account and reset his password to "33Foo$bars" via NET USER:
net user jbrown 33Foo$bars /domain /active:yes
Unfortunately, the flag requiring him to choose a new password is not set by this command. We, being enlightened administrators, do not want to know any user's permanent password at any time.
Does anyone have an efficient command-line method to unlock/reset and require a password change, using native Windows tools (including PowerShell or VBScript if necessary) but no 3rd-party binaries?
Context: Windows Server 2008 domain.
-
mfinni over 13 yearsThe ds* tools were new in Server 2003
-
jscott over 13 years+1, but DNs take way too long to type
dsquery user -samid username | dsmod user -mustchpwd yes -pwd password
-
Hecter over 13 yearsThanks very much. Especially with the addition of @jscott's comment, this is a perfect solution.
-
dzampino over 8 yearsI tried this, but it did not force a password change