Changing users password with Power Shell and generate a random password.

Published on
5,795 Points
2 Endorsements
Last Modified:
Hi all.
The other day I had to change the passwords for a bunch of users on the fly. Because they were so many, I decided to do it in an automated way and I would like to share it with you all.
If you are not doing it directly in a Domain Controller (DC) you need to install and import the Active Directory (AD) module and you also need the required privileges to change passwords.
This script will check the users in a specified Organizational Unit (OU) without specifying any user, so be careful if you decide to use it.
Warning: If you decide to use this script test it first in a lab environment. Do it at your own risk.
This script will check the users in a specified Organizational Unit (OU) and then generate a random alphanumeric password with 8 char length.
Of course we can do more stuff but I don't want to complicate and I just want to show you how it can be done. This is just one way of doing it.
#This is the file that will be generated with the users account ID and the password generated.
[String]$path= ".\NewPass.txt"

#This will check if the file exist and will delete that file so a new one can be created from the scratch
#If the doesn't exist will through an error saying that the file doesn't exist and will continue.
if ($path -ne $null){Remove-Item $path}

<# Required Assembly to Generate Passwords #>
Add-Type -Assembly System.Web
#In my case I created a OU for test purposes here it is.
#You need to change it to meet your requirements.

#Get the users inside the OU specified in the Options Above
$users=Get-ADUser -filter * -SearchBase $OU

foreach($Name in $users.samaccountname){
#Variable that will receive the random password

#The code below will change the password and will set the Option to change the password on the next logon.
Set-ADAccountPassword -Identity $Name -Reset -NewPassword (ConvertTo-SecureString -AsPlainText $NewPassword -Force)
Get-ADUser -Identity $Name |Set-ADUser -ChangePasswordAtLogon:$true

#Here will write the info to the file, so you can communicate to your users the new password.
Write-Output "UserID:$name `t Password:$NewPassword" `n`n|FT -AutoSize >>NewPass.txt


Open in new window

  Now we just need to test the Script, open your PowerShell and write the name of your PowerShell file followed by [ENTER], in my case is Random.ps1 and wait until the execution finished. This could take some time, depends of the number of users inside the Organizational Unit (OU).

PS1.JPGIf everything went well, no message is displayed, now you need to open txt file generated by the script and check the usernames and new passwords for the users.
Please note that in my case the defined path to save my files is defined on the beginning of my script like this
[String]$path= ".\NewPass.txt".

That's it. I hope it helps someone.

Next time I'll create a new article with more complex things, to search specific object types, select different  Organizational Units (OUs) and so on.  

Feel free to comment or just to suggest what else you would like to see with PowerShell.


  • 2

Expert Comment

Instead of using "FT -AutoSize >>NewPass.txt", I'd pipe it into "Export-CSV NewPass.csv -Append "

Expert Comment

by:rob ert
hello ...
this is very helpful , but the generated password are very heavy ... how can i make the generated passwords alphanumeric with only lowercase and numbers ? and export it to a csv file ?
LVL 12

Author Comment

by:David Paris Vicente
Hi all,

Thank you all for your comments.
@robert for you to be able to do that with the code above you will need to use regexp, but I believe you can achieve it in a more easy way, check the example below.

In my code I have:

Open in new window

If you change it to:
$NewPassword = -join ((97..122) | Get-Random -Count 10 | % {[char]$_})

Open in new window

This will generate a random char only with lower cases.

If you also want to capital letters you need use the ASCII table to check the value of each char, lets see an example.

$NewPassword = -join ((65..90) + (97..122) | Get-Random -Count 10 | % {[char]$_})

Open in new window

The output will be a random string.

Now if you want to add numbers, you can do it by adding the ASCII value related with numbers. Lets check it.

$NewPassword =  ((0..8) + (65..90) + (97..122) | Get-Random -Count 10 | % {[int32]$_}) 
Foreach($pass in $NewPassword){
 if ($pass -le 8){
    $finalpass+= $pass 
 }else {
 $finalpass+= [char]$pass 
Write-Host $finalpass

Open in new window

I believe this can do the trick, I didn't had to much time to tested it, but I can see that some random passwords could only have letters.

Then you can export it to a csv file piping the  variable $finalpass
$finalpass|Export-CSV c:\NewPass.csv -Append  

Open in new window

With this little code you already have the tools to start tweaking and accomplish your goal.

I hope it helps.



Expert Comment

by:rob ert
alright i managed to make it generate lowercase letter + letters using ur code and it works perfectly thanks alot ..
i have another question i hope im not being annoying ... the exported csv shows like Capture.PNG ... how can i make it like this Capture2.PNG ... if you notice the users and not consecutive they should be ige1 ige2 ige3 ige4 ige5 etc instead of userID: and password: in every row... plus is there a way to select specific users from that OU ?
your help is much appreciated ...

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Join & Write a Comment

Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Did you know PowerShell can save you time with SaaS platforms? Simply leverage RESTfulAPIs to build your own PowerShell modules. These will kill repetitive tickets and tabs, using the command Invoke-RestMethod. Tune into this webinar to learn how…
Other articles by this author

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month