locked
Reset Password for users!!! RRS feed

  • Question

  • is it possible to write a script that runs on a client system and ask user to change his/her password?

    (Old Password/New Password)(Active Directory),it is because we need to give another user Account to users to use for FTP access and we need them to change their passwords without having to use windows log on screen.

    Appreciate all.

    • Moved by Bill_Stewart Thursday, October 9, 2014 2:17 AM Abandoned
    Sunday, July 6, 2014 12:16 PM

All replies

  • Your question does not make any sense.

    A user cannot change the password without logging in.

    To change password see: http://support.microsoft.com/kb/149427


    ¯\_(ツ)_/¯

    Sunday, July 6, 2014 12:28 PM
  • I don't understand why you're trying to do it this way either.  It's easier if you want to have everyone change their password at logon by enabling the must change at logon attribute.

    I just finished a project at work, where I changed >400,000 passwords.  Here's some of my lessons learned:

    1) If you have users that are smart card logon required, you can scramble their passwords without them needing to know their new password.  However, if you perform the change while the user is logged on, you'll risk locking out the account.

    2) Be sure to exclude service accounts.  They'll need done in a controlled manner, obviously.

    3) For human, non Smart Card enforced accounts, you should establish a cutoff date, then enforce a force change.

    Some Examples:

    # Establish a cutoff date
    $date = Get-date -date 7/1/2014
    
    #Find users that need changed (Find a way to exempt svc accounts)
    $Target = Get-ADUser -filter {passwordlastset -lt $date} -properties passwordlastset
    
    #Review the list
    $Target | FT Samaccountname,passwordlastset -auto | more
    
    # When ready, set them to force change
    $Target | Foreach-Object ({ Set-ADUser $($_.samaccountname) -ChangePasswordAtLogon $True })
    
    # Repeat this process to monitor the accounts that have changed vs noncompliant.
    

    This isn't a simple request, it needs to be well thought out, planned and communicated to your users.  

    I hope this helps.


    - Chris Ream -

    **Remember, if you find a post that is helpful, or is the answer, please mark it appropriately.**

    Sunday, July 6, 2014 2:42 PM
  • Thank you for your responses- let me be clear about the situation....

    our users have Username A for log in to windows and Username B for connecting to FTP.

    we need force them to change their password for Username B when they logged on with Username A in windows,(we don't want to allow them to log on with Username B to change their B's password )

    is there anyway to force users change their B's password when they logged in?whether Script or ....

    Thanks a lot friends

    Sunday, July 6, 2014 5:15 PM
  • Thank you for your responses- let me be clear about the situation....

    our users have Username A for log in to windows and Username B for connecting to FTP.

    we need force them to change their password for Username B when they logged on with Username A in windows,(we don't want to allow them to log on with Username B to change their B's password )

    is there anyway to force users change their B's password when they logged in?whether Script or ....

    Thanks a lot friends

    As stated above.  A Windows user cannot change another users password.  They must log into the second account to change the password.

    It is possible for you to have a consultant design a sysyem for you that would help to accomplish what you are trying to accomplish.  It is not a scripting issue.  It is a technical desgn and implementation issue. 

    If you have a script or script question you can ask it.  We cannot guess at how to design your system.


    ¯\_(ツ)_/¯

    Sunday, July 6, 2014 6:21 PM
  • Do the users have access to PowerShell and the AD module? If so, this should work:

    Set-ADAccountPassword -Identity UserNameHere -OldPassword (Read-Host "Old Password" -AsSecureString) -NewPassword (Read-Host "New Password" -AsSecureString)

    If they can use PowerShell but don't have the AD module, you can make a function that uses ADSI. It would be a very short and simple function, so I wouldn't mind writing one if you need it.

    Sunday, July 6, 2014 6:29 PM
  • Thank you Rohn

    it could helps,but please provide rest of the way to achieve the goal.i cant use Set-ADAccount in windows 7 without installing AD Powershell module (we don't want to install modules in Windows 7)

    thanks a lot

    Monday, July 7, 2014 10:39 AM
  • Thank you Rohn

    it could helps,but please provide rest of the way to achieve the goal.i cant use Set-ADAccount in windows 7 without installing AD Powershell module (we don't want to install modules in Windows 7)

    thanks a lot


    Try this out:

    function Set-FtpPassword {
        [CmdletBinding()]
        param(
            [Parameter(Mandatory=$true, Position=0)]
            [string] $UserName,
            [Parameter(Mandatory=$true, ParameterSetName="ChangePassword")]
            [securestring] $OldPassword,
            [Parameter(Mandatory=$true, ParameterSetName="ChangePassword")]
            [Parameter(Mandatory=$true, ParameterSetName="SetPassword")]
            [securestring] $NewPassword
        )
    
        # Search for user
        $Searcher = [adsisearcher]"(samAccountName=$UserName)"
        $UserSearchResult = $Searcher.FindOne()
    
        if (-not $UserSearchResult) {
            Write-Error "Couldn't find user '$UserName'"
            return
        }
    
        # Get directory entry and dispose of the searcher
        $User = $UserSearchResult.GetDirectoryEntry()
        $Searcher.Dispose()
    
        # Decrypt passwords (not secure):
        $OldPasswordDecrypted, $NewPasswordDecrypted = $OldPassword, $NewPassword | ForEach-Object { New-Object System.Net.NetworkCredential "", $_ | select -ExpandProperty Password }
    
        # Method called and arguments used are different depending on which passwords
        # are provided. Figure out the method and its arguments:
        $MethodName = $PSCmdlet.ParameterSetName
        switch ($PSCmdlet.ParameterSetName) {
            ChangePassword {
                $Arguments = @($OldPasswordDecrypted, $NewPasswordDecrypted)
            }
            SetPassword {
                $Arguments = @($NewPasswordDecrypted)
            }
            default {
                Write-Error "Unknown parameter set name"
                return
            }
        }
    
        try {
            # Call either SetPassword or ChangePassword and save the changes
            $User.Invoke($MethodName, ([string[]] $Arguments))
            $User.CommitChanges()
            Write-Verbose "Password for $UserName changed"
        }
        catch {
            Write-Error $_
            return
        }
        finally {
            $User.Dispose()
        }
    }
    
    

    You'd call it like this:

    Set-FtpPassword -UserName UserNameHere -OldPassword (Read-Host "Old Password" -AsSecureString) -NewPassword (Read-Host "New Password" -AsSecureString)

    The function really only uses secure strings as a way to hide the passwords on the command line, so they're not treated with the respect they deserve inside the function.


    Monday, July 7, 2014 12:24 PM