Change password of new Windows domain user account without logging into the account?

I've got assigned an additional domain user account user2, with a password P@ssw0rd, that must be changed, before I can start using the account.

I don't want to log into user2 from the Windows logon screen; instead I want to change user2's password from my current user user1, and then use the user2 account using e.g. runas commands.

If I try to change user2's password by net user user2 NewP@ssw0rd /domain, I get the error:

System error 5 has occurred.

Access is denied.

How can I change user2's password without logging into the account from Windows logon screen?


Solution 1:

You are attempting to reset the password using that command. The only way you can actually change a password is is by providing the old password as well as the new. These are two different operations, and require different permissions.

You can achieve this (changing another user's password without logging in as that account) one of two ways (that I easily recall from memory):

  1. While logged onto a domain computer (under any account), hit Ctrl+Alt+Del, choose "Change Password". Change the username from the current username to the username of the account whose password you wish to change. Enter that accounts current password, and the new password twice. That should change the password on the account.

  2. You can use the Set-ADAccountPassword cmdlet - again by providing both the oldpassword and newpassword values, and not using the Reset parameter.


Yes, its weird, but technically EVERYONE has the "Change Password" permission on every AD account - this allows unauthenticated users members of the EVERYONE special identity to change the password - as long as they know the current password.