Changing other user password from command line

I'm in an AD domain and I want to change someone's password (which is expired but I think it is irrelevant).

I'm not a AD admin so net user <username> * /domain does not work.

I can change it pressing CTRL+ALT+DELETE->Change Password typing the old password which I have; is there a command line equivalent of this process?


Solution 1:

Actually, if you're not a domain admin (or account admin), it's relevant: for an account with expired password, you must do an interactive logon to change the password.

Otherwise, if you know the other user's password, you may launch a Powershell session with those credentials and use the code that @Ryan Bolger just posted. Or even easier:

Set-ADAccountPassword otheruser -oldpassword typeoldpassword -newpassword typenewpassword

**** EDIT ****

Forget everything above: you can do it with that command, as that command it actually does an interactive logon. So just do:

Set-ADAccountPassword otheruser

and you'll be prompted for old password, then new password, then retype new password. I just tested it! :)

Solution 2:

If you know the LDAP distinguished name (DN) value for the user you can do it with Powershell like this:

$oldpass = 'XXXXXXX'
$newpass = 'XXXXXXX'
$user = [ADSI]"LDAP://CN=myuser,OU=MyOU,DC=example,DC=com"
$user.ChangePassword($oldpass,$newpass)

I should note that this method works even if the password has already expired which is a nice bonus.

If you don't know the DN, it's only slightly harder because you'd have to search for a reference to the user first. Here's a one liner that uses adsisearcher to find the user by sAMAccountName. Though you can use whatever LDAP filter makes sense. You can use this in place of the $user = blah line above.

$user = ([adsisearcher]"(&(sAMAccountType=805306368)(sAMAccountName=myuser))").FindOne()