- reference
- module:
- active directory
Modify the password of an Active Directory account.
syntax
Set up an ADA account][-credentials] [-identity][-New Password] [-Old Password] [-Split][-PassThru][-reset][-server] [] describe
heSet ADA account passwordThis cmdlet sets the password for a user, computer, or service account.
heidentityThis parameter specifies the Active Directory account to modify.
Accounts can be identified by their distinguished name, GUID, security identifier (SID), or Security Accounts Manager (SAM) account name. You can also setidentityParameters for object variables, such asnotesOr you can pipe the object toidentityscope. For example, you can use a parameterFind AD accountcmdlet to retrieve an account object and then pipe the object to a fileSet ADA account passwordcmdlet. Similarly, you can useDownload AD user,Download ADComputer, lubricantDownload AD service accountFor standalone MSA packages, the cmdlet that retrieves the account object that can be piped to this cmdlet.
NOTE: Group MSAs cannot set a password because the password changes at regular intervals.
For Active Directory LDS (AD LDS) environments, you must specify the Partition parameter, with the following two exceptions:
- This cmdlet runs from the Active Directory provider disk.
- A default naming context or partition is defined for an AD LDS environment.
To specify the default naming context for an AD LDS environment, set an optionmsDS-defaultNamingContextThe attributes of the Active Directory directory service agent (DSA) object (TDDSA) for the AD LDS instance.
example
Example 1: Set a password for a user account using a distinguished name
PS C:\> Set-ADAccountPassword -Identity 'CN=Elisa Daugherty,OU=Accounts,DC=Fabrikam,DC=com' -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "p@ssw0rd" -Force)This command sets the password for the user account DN=Elisa Daugherty,OU=Accounts,DC=Fabrikam,DC=com to p@ssw0rd.
Example 2: Change a specific user's password
PS C:\> Set-ADAccountPassword -Identity elisada -OldPassword (ConvertTo-SecureString -AsPlainText "p@ssw0rd" -Force) -NewPassword (ConvertTo-SecureString -AsPlainText "qwert@12345" -Force)This command sets the password for the elized user account SamAccountName to qwert@12345. Using the -NewPassword option with a value without specifying a value for the -OldPassword parameter will also reset the password.
Example 3: Ask specific users to change their passwords
PS C:\> Set-ADAccountPassword -Identity EvanNa Enter the current password of 'CN=Evan Narvaez,CN=Users,DC=Fabrikam,DC=com' Password: ************* Enter required Password Password For "CN=Evan Narvaez,CN=Users,DC=Fabrikam,DC=com" Password: ***************** Verify Password: ***** ***** * **** ***This command sets the password for the user account Distinguished Name CN=Evan Narvaez,CN=Users,DC=Fabrikam,DC=com. The cmdlet prompts you for the new and old passwords.
Example 4: Prompt the user for a new password stored in a temporary variable
PS C:\> $NewPassword = (Read-Host -Prompt "Ingrese nueva contraseña" -AsSecureString) PS C:\> Set-ADAccountPassword -Identity DavidChe -NewPassword $NewPassword -ResetProvide Nueva contraseña: ******** **This command prompts the user for a new password, which is stored in a temporary variable named $NewPassword, and then used to reset the password for the user account named SamAccountName DavidChe.
parameter
- authentication type
Specifies the authentication method. Acceptable values for this parameter are:
- transaction 0
- basic or 1
The default authentication method is Negotiate.
The Basic authentication method requires a Secure Sockets Layer (SSL) connection.
| type: | Type ADAuth |
| Accepted values: | bargain, basic |
| Location: | is called |
| Defaults: | Nico |
| Accepts piped input: | error |
| Wildcards are accepted: | error |
-confirm
Prompt for confirmation before running the cmdlet.
| type: | change parameters |
| hot key: | go through |
| Location: | is called |
| Defaults: | error |
| Accepts piped input: | error |
| Wildcards are accepted: | error |
-Certificate
Specifies the user account credentials to use for this task. The default credentials are those of the currently logged on user, unless the cmdlet is run from the Active Directory module of the Windows PowerShell provider unit. If you run cmdlets from this provider disk, the account associated with that disk is the default account.
To specify this parameter, you can enter a user name, such as User1 or Domain01\User01, or you can specifyP.S certificatePurpose. If you specify a username for this parameter, the cmdlet will prompt you for a password.
You can also createP.S certificateobject per script or per methodget certificatecmdlet. Then you can setCertificateparameter aP.S certificatePurpose.
The Active Directory module for Windows PowerShell returns an exit error if the credential it is running under does not have the directory-level permissions to perform the task.
| type: | P.S certificate |
| Location: | is called |
| Defaults: | Nico |
| Accepts piped input: | error |
| Wildcards are accepted: | error |
-identity
Specify an Active Directory user object by specifying one of the following attribute values. Identifiers in parentheses are the display names of Lightweight Directory Access Protocol (LDAP) attributes. Acceptable values for this parameter are:
- a famous name
- GUID (object GUID)
- Safety ID (objectSid)
- SAM account name (sAMAccountName)
This cmdlet searches the default naming context or partition for objects. If two or more objects are found, the cmdlet returns an incomplete error.
This parameter can also move this object through the pipeline, or you can set this parameter to an instance of this object.
| type: | ADA account |
| Location: | 0 |
| Defaults: | Nico |
| Accepts piped input: | real |
| Wildcards are accepted: | error |
- New Password
Specify a new password value. The value is stored as an encrypted string.
| type: | safety chain |
| Location: | is called |
| Defaults: | Nico |
| Accepts piped input: | error |
| Wildcards are accepted: | error |
-Old Password
Specify the latest password value. The value is handled as an encrypted string.
| type: | safety chain |
| Location: | is called |
| Defaults: | Nico |
| Accepts piped input: | error |
| Wildcards are accepted: | error |
- divide
Specifies the full name of the Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet looks in this partition for objects defined byidentityscope.
In many cases, use the default.to divideParameter if no value is specified. The rules for determining default values are detailed below. Note that rules listed first are evaluated first, and no other rules are evaluated once a default is set.
In an Active Directory Domain Services environment, the defaultto divideDetermined when:
- andidentityparameter is set to Distinguished Name, defaultto divideis automatically generated from the distinguished name.
- When running cmdlets from the Active Directory provider disk, the defaultto divideIt is automatically generated based on the current track on the device.
- If none of the above applies, use the defaultto divideIt is set as the default partition or naming context for the target domain.
In an AD LDS environment, the defaultto divideDetermined when:
- andidentityparameter is set to a distinguished name, a default value based on that distinguished name is automatically generated.
- When running cmdlets from the Active Directory provider disk, the defaultto divideIt is automatically generated based on the current track on the device.
- If the target AD LDS instance has a default naming context, the default isto divideIt is set as the default naming context. To specify the default naming context for an AD LDS environment, set themsDS-defaultNamingContextActive Directory directory service proxy object attributes (TDDSA) for the AD LDS instance.
- If none of the above apply, thento divideThis parameter will not take any default value.
| type: | chain |
| Location: | is called |
| Defaults: | Nico |
| Accepts piped input: | error |
| Wildcards are accepted: | error |
-cross
Returns an object representing the element you are working with. By default, this cmdlet produces no output.
| type: | change parameters |
| Location: | is called |
| Defaults: | Nico |
| Accepts piped input: | error |
| Wildcards are accepted: | error |
-restart
Specifies the password for the reset account. When using this parameter, setNew Passwordscope. you don't have to specifyOld Passwordscope.
| type: | change parameters |
| Location: | is called |
| Defaults: | Nico |
| Accepts piped input: | error |
| Wildcards are accepted: | error |
- server
Specify the Active Directory Domain Services instance to connect to by specifying one of the following values for the appropriate domain or directory server name. The service can be any of the following: Lightweight Active Directory Domain Services, Active Directory Domain Services, or a snapshot instance of Active Directory.
Domain name value:
- Fully Qualified Domain Name (FQDN)
- Network BIOS name
Directory server value:
- The full name of the directory server.
- Network BIOS name
- The full name and port of the directory server.
DefaultsserverThe parameter is determined by one of the following methods, in the order in which they appear:
- useserverThe value of the object passed through the pipeline.
- When running on an Active Directory provider disk, uses the server information associated with that disk.
- Use a domain of computers running Windows PowerShell.
| type: | chain |
| Location: | is called |
| Defaults: | Nico |
| Accepts piped input: | error |
| Wildcards are accepted: | error |
- and if
Shows what happens when the cmdlet is run. The cmdlet is not running.
| type: | change parameters |
| hot key: | the state of Wisconsin |
| Location: | is called |
| Defaults: | error |
| Accepts piped input: | error |
| Wildcards are accepted: | error |
appetizer
ADA account
Account object received byidentityscope.
The following derived types are also accepted:
- Microsoft.ActiveDirectory.Management.ADUser
- Microsoft.ActiveDirectory.Management.ADComputadora
- Microsoft.ActiveDirectory.Management.ADServiceAccount
Departure
Nico
score
- This cmdlet does not work with Active Directory snapshots.
- This cmdlet does not work on read-only domain controllers. This cmdlet has no effect when connected to a global catalog port.
- Download ADComputer
- Download AD service account
- Download AD user
- Find AD account
- AD DS Management cmdlets in Windows PowerShell