The ability to manage user access and credentials is an essential component of IT administration. Whether it’s a large organization with complex IT needs or a smaller business with straightforward requirements, one common task is password management. The provided script showcases a method for how to reset user passwords using PowerShell, either for local Windows users or within an Active Directory environment.
Background
The script is primarily designed to offer IT professionals and Managed Service Providers (MSPs) a streamlined approach to reset user passwords without diving deep into the system’s user interfaces. With the ever-increasing number of users and the constant requirement to enforce security practices, having a tool that quickly and reliably performs such operations is invaluable. This script, particularly when combined with tools like NinjaOne, offers automation and efficiency for these tasks.
The Script
#Requires -Version 5.1
<#
.SYNOPSIS
Resets a users password.
.DESCRIPTION
Resets a users password. Either a local user that this script runs on, or in Active directory.
.EXAMPLE
-UserName "Fred" -Password "Somepass1"
Resets Fred's password to Somepass1 .
.EXAMPLE
-UserName "Fred" -Password "Somepass1" -IsDomainUser
Resets Fred's password to Somepass1 in Active Directory.
.EXAMPLE
PS C:> .Reset-User-Password.ps1 -UserName "Fred" -Password "Somepass1" -IsDomainUser
Resets Fred's password to Somepass1 in Active Directory.
.OUTPUTS
None
.NOTES
Minimum OS Architecture Supported: Windows 10, Windows Server 2012
The RSAT feature for Active Directory needs to be installed on the computer this runs on.
Release Notes:
Initial Release
By using this script, you indicate your acceptance of the following legal terms as well as our Terms of Use at https://www.ninjaone.com/terms-of-use.
Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms.
Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party.
Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library or website belonging to or under the control of any other software provider.
Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations.
Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks.
Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script.
EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).
.COMPONENT
ManageUsers
#>
[CmdletBinding()]
param (
[Parameter(Mandatory = $true)]
[String]
$UserName,
[Parameter(Mandatory = $true)]
[String]
$Password,
[Switch]
$IsDomainUser
)
begin {
function Test-IsElevated {
$id = [System.Security.Principal.WindowsIdentity]::GetCurrent()
$p = New-Object System.Security.Principal.WindowsPrincipal($id)
if ($p.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator))
{ Write-Output $true }
else
{ Write-Output $false }
}
}
process {
if (-not (Test-IsElevated)) {
Write-Error -Message "Access Denied. Please run with Administrator privileges."
exit 1
}
if ($IsDomainUser) {
# Active Directory
# Check if the ActiveDirectory module is installed
if ((Get-Module -Name ActiveDirectory -ListAvailable -ErrorAction SilentlyContinue)) {
try {
# Try to import the ActiveDirectory module
Import-Module -Name ActiveDirectory
}
catch {
Write-Error -Message "Ninja Agent could not access AD, either RSAT was not installed or that the agent does not have permissions to add and remove users from groups."
exit 5 # Access Denied exit code
}
try {
$User = Get-ADUser -Identity $UserName
Set-ADAccountPassword -Identity $User -Reset -NewPassword $(ConvertTo-SecureString -String $Password -AsPlainText -Force)
Write-Host "Reset Password for user: $UserName"
exit 0
}
catch {
Write-Host "Failed to Reset Password for user: $UserName"
exit 1
}
}
else {
Write-Host "User ($UserName) does not exist."
exit 1
}
}
else {
$User = Get-LocalUser -Name $UserName -ErrorAction SilentlyContinue
if ($User) {
try {
Set-LocalUser -Name $UserName -Password $(ConvertTo-SecureString -String $Password -AsPlainText -Force) -Confirm:$false
Write-Host "Reset Password for user: $UserName"
exit 0
}
catch {
Write-Host "Failed to Reset Password for user: $UserName"
exit 1
}
}
else {
Write-Host "User ($UserName) does not exist."
exit 1
}
}
}
end {}
Access 300+ scripts in the NinjaOne Dojo
Detailed Breakdown
Parameters: The script starts by defining the parameters required, namely, the UserName and Password. There is also an optional switch for IsDomainUser which, when used, specifies that the operation is intended for an Active Directory user.
Initialization:
Before the main operation, the script checks if it’s being run with Administrator privileges. This is done using the Test-IsElevated function which checks the script’s current execution role.
Process:
Depending on the value of the IsDomainUser switch, the script branches into two distinct operations:
- Active Directory: If the IsDomainUser switch is set, the script checks for the ActiveDirectory module’s presence, imports it, and then attempts to reset the user’s password in the Active Directory.
- Local User: Without the IsDomainUser switch, the script targets a local user, checking for its existence and then attempting a password reset.
Potential Use Cases
Imagine an IT admin, John, managing a mid-sized company’s network infrastructure. He’s received multiple requests from employees who’ve forgotten their passwords. Instead of manually resetting them through the GUI, John uses this script. With a single command, he can now reset each user’s password, saving him time and ensuring a consistent approach.
Comparisons
Traditionally, resetting passwords in Windows or Active Directory would require GUI-based tools such as “Computer Management” for local users or “Active Directory Users and Computers” for AD users. While these tools are robust and feature-rich, they often involve multiple steps. This PowerShell script offers a more streamlined, command-line approach that can be easily integrated into automation workflows.
FAQs
- Is administrator privilege required?
Yes, the script must be run with administrator privileges. - Can this script handle both local and AD users?
Yes, by using the IsDomainUser switch, the script can target AD users.
Implications
While the script provides efficiency, it also carries the weight of security. Misuse can lead to unintended access or account lockouts. Always ensure that passwords are reset responsibly and with the user’s knowledge.
Recommendations
- Always take a backup before making large-scale changes.
- Test the script in a controlled environment before using it in production.
- Use strong, unique passwords when resetting.
Final Thoughts
For IT professionals seeking further automation and streamlined operations, tools like NinjaOne can complement this script. NinjaOne provides robust IT management solutions that integrate well with custom scripts like this, allowing professionals to get the most out of their infrastructure. Ensuring users can securely access their accounts is fundamental in IT management. By leveraging PowerShell and tools like NinjaOne, the complexities of tasks such as password resets can be reduced, allowing IT teams to focus on more pressing issues.
