There may be times when you need to bulk reset user passwords in a domain or OU. We have outlined three VB script methods below. These Active Directory VB scripts are very easy to use and only minor modifications are required.
- The first method does a password reset to a new permanent password.
- The second method does a password reset with "must change on next login" set.
The third method allows you to change the userAccountControl value and reset passwords, with option to force change on next login. This is handy if you need to change user accounts to password expiring, fix "system account" user objects, or enable / disable user accounts.
- We STRONGLY recommend testing all scripts first on a test OU with test user objects!
Prerequisites for Running the Reset Password Scripts
Log on as an administrator of the domain, preferably at a domain controller. Alternatively, connect to the server with Remote Desktop.
Instructions for using the Reset User Password Script Examples
- Copy and paste the example script below into notepad or a VBScript editor.
Decide whether to change the OU and "default" password by editing the value for strContainer = "OU=Your Users, " and strPassword = "!P@ssw0rd". Of course you need to have some users in the OU referenced by strContainer, and if you are using complex passwords your default password must meet the complexity requirements.
- Save the file with a .vbs extension, for example: SetPassword .vbs.
- Double click SetPassword .vbs and check the Users container for strUser.
- This script DOES NOT set the "must change on next logon" flag. It does a password reset to a permanent new password.
Method #1 Sample Script to Reset User Passwords to a new Permanent Password
This method resets user passwords in the target OU to a new permanent password. It does not set the "must change on next login" flag.
Change the OU and "default" password by editing the value for strContainer = "OU=Your Users, " and strPassword = "!P@ssw0rd". The OU in strContainer must match the name of your target OU in AD and is case sensitive! Of course you also need to have some users in the OU referenced by strContainer, and if you are using complex passwords your default password must meet the complexity requirements of the domain password policy.
' ResetPassword .vbs
' Sample VBScript to set user password in a named OU.
' --------------------------------------------------------------'
Option Explicit
Dim objOU, objUser, objRootDSE
Dim strContainer, strDNSDomain, strPassword
' Bind to Active Directory Domain
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")
' -------------------------------------------------------------'
' Important change OU= to reflect your target OU
' -------------------------------------------------------------'
strContainer = "OU=Your Users, "
strPassword = "!P@ssw0rd"
strContainer = strContainer & strDNSDomain
' Loop through OU=, setting passwords for all users
set objOU =GetObject("LDAP://" & strContainer )
For each objUser in objOU
If objUser.class="user" then
objUser.SetPassword strPassword
objUser.SetInfo
End If
Next
WScript.Quit
' End of Example VBScript: ResetPassword
' Sample VBScript to set user password in a named OU.
' --------------------------------------------------------------'
Option Explicit
Dim objOU, objUser, objRootDSE
Dim strContainer, strDNSDomain, strPassword
' Bind to Active Directory Domain
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")
' -------------------------------------------------------------'
' Important change OU= to reflect your target OU
' -------------------------------------------------------------'
strContainer = "OU=Your Users, "
strPassword = "!P@ssw0rd"
strContainer = strContainer & strDNSDomain
' Loop through OU=, setting passwords for all users
set objOU =GetObject("LDAP://" & strContainer )
For each objUser in objOU
If objUser.class="user" then
objUser.SetPassword strPassword
objUser.SetInfo
End If
Next
WScript.Quit
' End of Example VBScript: ResetPassword
Method #2 Sample Script to Reset User Passwords and set "Must Change on Next Login"
This script builds on Method #1, we recommend you check over the previous script before tackling this more advanced example. As you reset the account password, perhaps you want to force the users to change their password at next logon. The below script will accomplish this nicely.
Change the OU and "default" password by editing the value for strContainer = "OU=Your Users, " and strPassword = "!P@ssw0rd". The OU in strContainer must match the name of your target OU in AD and is case sensitive! Of course you also need to have some users in the OU referenced by strContainer, and if you are using complex passwords your default password must meet the complexity requirements of the domain password policy.
Sample Script to Reset Passwords and Force Users to Change Password at Next Logon
' ResetTemporaryPassword.vbs
' Sample VBScript to reset password and force user to change password at next logon
' --------------------------------------------------------------'
Option Explicit
Dim objOU, objUser, objRootDSE
Dim strContainer, strDNSDomain, strPassword
Dim intCounter, intAccValue, intPwdValue
' Bind to Active Directory Domain
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")
' -------------------------------------------------------------'
' Important change OU= to reflect your target OU
' -------------------------------------------------------------'
strContainer = "OU=Your Users, "
strPassword = "!P@ssw0rd"
strContainer = strContainer & strDNSDomain
' Here we force a change of password at next logon
intPwdValue = 0 ' Default is -1
' Loop through OU=, setting passwords for all users
set objOU =GetObject("LDAP://" & strContainer )
For each objUser in objOU
If objUser.class="user" then
objUser.SetPassword strPassword
objUser.Put "userAccountControl", intAccValue
objUser.Put "PwdLastSet", intPwdValue
objUser.SetInfo
End If
Next
WScript.Echo "Password is " & strPassword & vbCr & _
"UserAccountControl = " & intAccValue & vbCr & "Check " & strContainer
WScript.Quit
' End of Free Sample ResetTemporaryPassword Script
' Sample VBScript to reset password and force user to change password at next logon
' --------------------------------------------------------------'
Option Explicit
Dim objOU, objUser, objRootDSE
Dim strContainer, strDNSDomain, strPassword
Dim intCounter, intAccValue, intPwdValue
' Bind to Active Directory Domain
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")
' -------------------------------------------------------------'
' Important change OU= to reflect your target OU
' -------------------------------------------------------------'
strContainer = "OU=Your Users, "
strPassword = "!P@ssw0rd"
strContainer = strContainer & strDNSDomain
' Here we force a change of password at next logon
intPwdValue = 0 ' Default is -1
' Loop through OU=, setting passwords for all users
set objOU =GetObject("LDAP://" & strContainer )
For each objUser in objOU
If objUser.class="user" then
objUser.SetPassword strPassword
objUser.Put "userAccountControl", intAccValue
objUser.Put "PwdLastSet", intPwdValue
objUser.SetInfo
End If
Next
WScript.Echo "Password is " & strPassword & vbCr & _
"UserAccountControl = " & intAccValue & vbCr & "Check " & strContainer
WScript.Quit
' End of Free Sample ResetTemporaryPassword Script
Method #3 Sample Script to Enable User or Change User to Password Expiring, Reset Password and Force User to Change Password at Next Logon
This script builds on Method #2, we recommend you check over the previous script before tackling this more advanced example below. As you reset the account password, there are two other factors that you may wish to include in the script. If the account is disabled or is marked with "password never expires" or is flagged as a "System Account", you may wish to enable it and set to a normal, password expiring user with userAccountControl = 512. In addition to resetting the password and changing the UAC of the account, perhaps you want to force the users to change their password at next logon. You can do all of this with the below script.
Change the OU and "default" password by editing the value for strContainer = "OU=Your Users, " and strPassword = "!P@ssw0rd". The OU in strContainer must match the name of your target OU in AD and is case sensitive! Of course you also need to have some users in the OU referenced by strContainer, and if you are using complex passwords your default password must meet the complexity requirements of the domain password policy.
' ResetPasswordAndUAC.vbs
' Sample VBScript to change UAC and force user to change password at next logon
' --------------------------------------------------------------'
Option Explicit
Dim objOU, objUser, objRootDSE
Dim strContainer, strDNSDomain, strPassword
Dim intCounter, intAccValue, intPwdValue
' Bind to Active Directory Domain
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")
' -------------------------------------------------------------'
' Important change OU= to reflect your target OU
' -------------------------------------------------------------'
strContainer = "OU=Your Users, "
strPassword = "!P@ssw0rd"
strContainer = strContainer & strDNSDomain
' Here is where we set the value to enable or change the UAC on user accounts
' 512 = Enable, 514 = Disable, 544 = System Account.
intAccValue = 512
' Here we force a change of password at next logon
' Change this to -1 if you do not want to enforce change on next login, or delete the command
' Sample VBScript to change UAC and force user to change password at next logon
' --------------------------------------------------------------'
Option Explicit
Dim objOU, objUser, objRootDSE
Dim strContainer, strDNSDomain, strPassword
Dim intCounter, intAccValue, intPwdValue
' Bind to Active Directory Domain
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")
' -------------------------------------------------------------'
' Important change OU= to reflect your target OU
' -------------------------------------------------------------'
strContainer = "OU=Your Users, "
strPassword = "!P@ssw0rd"
strContainer = strContainer & strDNSDomain
' Here is where we set the value to enable or change the UAC on user accounts
' 512 = Enable, 514 = Disable, 544 = System Account.
intAccValue = 512
' Here we force a change of password at next logon
' Change this to -1 if you do not want to enforce change on next login, or delete the command
intPwdValue = 0
' Loop through OU=, setting passwords for all users
set objOU =GetObject("LDAP://" & strContainer )
For each objUser in objOU
If objUser.class="user" then
objUser.SetPassword strPassword
objUser.Put "userAccountControl", intAccValue
objUser.Put "PwdLastSet", intPwdValue
objUser.SetInfo
End If
Next
WScript.Echo "Password is " & strPassword & vbCr & _
"UserAccountControl = " & intAccValue & vbCr & "Check " & strContainer
WScript.Quit
' End of Free Sample ResetPasswordAndUAC Script
' Loop through OU=, setting passwords for all users
set objOU =GetObject("LDAP://" & strContainer )
For each objUser in objOU
If objUser.class="user" then
objUser.SetPassword strPassword
objUser.Put "userAccountControl", intAccValue
objUser.Put "PwdLastSet", intPwdValue
objUser.SetInfo
End If
Next
WScript.Echo "Password is " & strPassword & vbCr & _
"UserAccountControl = " & intAccValue & vbCr & "Check " & strContainer
WScript.Quit
' End of Free Sample ResetPasswordAndUAC Script
For more guides, visit our website at http://www.sysoptools.com/
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.