AD PowerShell Password Reset Shortcut for Helpdesk

Introduction

Back in May I released a post on the Hey Scripting Guy blog showing how to create a shortcut to unlock a user account with a PowerShell desktop shortcut.  That post was very popular, and the comments evolved into another shortcut to reset passwords.  Due to the popularity and utility of the idea I decided it deserved its own blog post.  I’ve also learned a little more about the Set-ADAccountPassword cmdlet to simplify my previous code.

Monday Morning on “The Desk”

You know the drill.  It’s Monday morning.  Last Friday 47 users decided it was a good idea to change their password before the weekend.  It’s Monday.  They forgot, just like I would.  Personally I never change my password on a Friday for this reason.  I need a couple days to use it before the weekend.

What could make this worse?  Holiday weekends… like US Thanksgiving.  (grin)  Now it’s been at least five days since I reset that password.  There’s no chance I’ll remember it unless it’s written down on that sticky note under the mouse pad.

Now all 47 of those users must call the helpdesk first thing Monday before they can begin another week of productivity for the company.  The self-service password project has not gotten enough budget or resources for implementation, and until it does every Monday morning is going to look very familiar.  That’s where we come in with PowerShell.

The Options

How many different ways can we reset a password?  Let’s make a quick list:

  1. Active Directory Users and Computers (ADUC) – Despite the several clicks involved this is the first choice for many folks.  It’s been working for 12 years now.  Why change now?
  2. Active Directory Administrative Center (ADAC) – This is the new AD-GUI-with-PowerShell-under-the-covers version of ADUC, and it puts password resets on the front page for easy access.  Give this one a try.  It’s free with your Windows Server 2008 R2 (or 2012) RSAT.  This is slightly faster.
  3. DSMOD – Yeah.  It’s an option, but you need to type the distinguished name for the user.  Cool, but just not practical.
  4. That in-house identity app written seven years ago by a special project team in InfoSec.  Um.  Yeah.  Way too many clicks.
  5. PowerShell.  Wait… can you click in PowerShell?  Kind of. It’s going to be a single double-click.  Much faster.
  6. Etc.

Bring The ‘Shell To The ‘Desk

Attached at the bottom of this post you’ll find a simple text file with these lines (note that these one-liners have been wrapped for display purposes):

 : 100 characters
: Reset Password
@echo off&&powershell -NoE -C "&{ipmo ActiveDirectory;
Set-ADAccountPassword (Read-Host 'User') -R}"

: 123 characters
: Reset Password
: User must change password at next logon
@echo off&&powershell -NoE -C "&{ipmo ActiveDirectory;
Set-ADAccountPassword ($u=Read-Host 'User') -R;Set-ADUser $u -Ch 1}"

: 154 characters
: Reset Password
: User must change password at next logon
: Alternate credentials @echo off&&powershell -NoE -C "&{ipmo ActiveDirectory;
Set-ADAccountPassword ($u=Read-Host 'User') -R -Cr ($c=Get-Credential);
Set-ADUser $u -Ch 1 -Cr $c}"

: 191 characters
: Reset Password
: User must change password at next logon
: Alternate credentials
: Target a specific DC
@echo off&&powershell -NoE -C "&{ipmo ActiveDirectory;
Set-ADAccountPassword -Cr ($c=Get-Credential) -S ($s=Read-Host 'DC')
 -I ($u=Read-Host 'User') -R;Set-ADUser $u -Ch 1 -Cr $c -Server $s}"

Depending on how you would like to perform the password reset there are four options presented here for your shortcut.  Simply copy the line you want to use and paste it into a batch file on the desktop for the helpdesk.  Here are the flavors:

  • Password reset
  • User must change password at next logon (always a good idea)
  • Reset the password using alternate credentials
  • Target a different domain controller to initiate the change

Just copy the line you want into a text file on the desktop and put ‘.BAT’ at the end of the file name.  Enjoy!

The Code

At first glance these lines may be a bit challenging to understand.  That’s because I’ve maximized the use of aliases and abbreviations to tighten these lines down to merely a few characters.  I usually avoid these for readability, but in this case I was aiming for brevity.  Plus it’s just fun.

Let’s break down the longest line:

  • @echo off
    • This is batch language to hide the commands when you run them.
  • &&
    • This is how we cheat in batch language and put everything on one line.
  • powershell -NoE –C
    • Launch PowerShell, leave the window open when complete (in case there are any errors to view), and run this command…
  • "&{
    • Now we’re in PowerShell, and the ‘&’ is the invoke operator.  This tells PowerShell to run everything inside the code block { }.
  • ipmo ActiveDirectory;
    • Import-Module ActiveDirectory.  Then ‘;’ is the new line character so we can cheat in PowerShell and keep it all on one line.
  • Set-ADAccountPassword -Cr ($c=Get-Credential) -S ($s=Read-Host 'DC') -I ($u=Read-Host 'User') -R;
    • This is where the magic happens.  There is no alias to shorten the cmdlet, but we’ve abbreviated all of the parameters: Credential, Server, Identity, and Reset.  By capturing each of these values into a variable we can reuse them in the next cmdlet without having to prompt for the values again.
  • Set-ADUser $u -Ch 1 -Cr $c -Server $s}"
    • ChangePasswordAtLogon become ‘Ch’. ‘Cr’ again is Credential.  Because this cmdlet has so many parameters beginning with ‘S’ we have to use the full parameter name for ‘Server’.

What other language could do this in less than 200 characters?  Now that’s PowerShell!

One Small Prerequisite

In order for the helpdesk to use this code they will need to install the Windows 7 or Windows 8 Remote Server Administration Tools (RSAT) and turn on the feature Active Directory Module for Windows PowerShell.  Most likely the RSAT are already installed for other administrative tasks, so they can check the GUI box pictured here:

image

‘Tis The Season

Password resets will never go out of season.  Armed with these new batch lines perhaps your Monday mornings will go faster and the elves in the toy shop can get back to what they do best… making new Microsoft Surface tablets to put under the Christmas tree.

ADPS_Password_Reset_Batch.txt

Comments

  • Anonymous
    November 26, 2012
    Do you need to import the module inside of a batch script when using Powershell 3?

  • Anonymous
    November 26, 2012
    Hi LA, In v3 you don't need to import modules, but in my opinion it would improve performance. GoateePFE

  • Anonymous
    February 20, 2013
    Hi Ashley, I just found your blog and am already loving it! A while back, I got tired of dealing with this same problem. For our helpdesk, I created a custom MMC containing ADUC and a bunch of powershell scripts in a taskpane. One script was a reset password script. If you get a chance, check out the MMC and let me know what you think. www.simple-talk.com/.../article.aspx jmoody @ mygcbe . com

  • Anonymous
    October 29, 2014
    Welcome! Today’s post includes demo scripts and links from the Microsoft Virtual Academy event: Using PowerShell for Active Directory . We had a great time creating this for you, and I hope you will share it with anyone needing to ramp up their

  • Anonymous
    July 02, 2015
    how would I create a batch desktop file for renaming computers. This is a task we perform all the time.

  • Anonymous
    September 15, 2015
    Hi Goatee,

    Can you help me with a batch file for helpdesk just like your previous Post

    : 191 characters
    : Reset Password
    : User must change password at next logon
    : Alternate credentials
    : Target a specific DC
    @echo off&&powershell -NoE -C "&{ipmo ActiveDirectory;
    Set-ADAccountPassword -Cr ($c=Get-Credential) -S ($s=Read-Host 'DC')
    -I ($u=Read-Host 'User') -R;Set-ADUser $u -Ch 1 -Cr $c -Server $s}"

    but I need to unlock the account as well and I dont want to require them to "change password at next logon"

  • Anonymous
    September 15, 2015
    Hello Dinan,

    Try this (I haven't tested it):
    @echo off&&powershell -NoE -C "&{ipmo ActiveDirectory;
    Set-ADAccountPassword -Cr ($c=Get-Credential) -S ($s=Read-Host 'DC')
    -I ($u=Read-Host 'User') -R;Unlock-ADAccount -I $u -Cr $c -Server $s}"

    For more information I talk about unlocks with batch files here:
    http://blogs.technet.com/b/heyscriptingguy/archive/2012/05/05/weekend-scripter-active-directory-account-unlock-shortcut-for-help-desk.aspx

    Let me know if that works,
    GoateePFE
    Ashley

  • Anonymous
    September 29, 2015
    Hi Goatee,

    Thanks for your Help. It worked!! :-)

  • Anonymous
    April 28, 2016
    Hi Ashley,I am trying to set this up as the following..Alternate credentials Target a specific DCuserthis is where i get errors. Its telling me the parameter name I is ambiguous.Any ideas how i can get this working? here is the code i have used so far...@echo off&&powershell -NoE -C ""

  • Anonymous
    April 28, 2016
    Sorry here is the full code@echo off&&powershell -NoE -C ""

  • Anonymous
    April 28, 2016
    Hi William,Unfortunately your script looks like it is missing the PowerShell commands inside the quotes. Are you sure you pasted the entire thing into the comment?AshleyGoateePFE

    • Anonymous
      July 05, 2016
      Hi Ashley,I want to create self management portal for rest passwords and unlock user.. I tried your scripts but I need it to launch with Web portal..can you please help me...Many thanks in advance !!!Ranjeet !!