Changing users password with Power Shell and generate a random password.

David Paris VicenteInfrastructure Designer
Hi all.
The other day I had to change the passwords for a bunch of users on the fly. Because they were so many, I decided to do it in an automated way and I would like to share it with you all.
If you are not doing it directly in a Domain Controller (DC) you need to install and import the Active Directory (AD) module and you also need the required privileges to change passwords.
This script will check the users in a specified Organizational Unit (OU) without specifying any user, so be careful if you decide to use it.
Warning: If you decide to use this script test it first in a lab environment. Do it at your own risk.
This script will check the users in a specified Organizational Unit (OU) and then generate a random alphanumeric password with 8 char length.
Of course we can do more stuff but I don't want to complicate and I just want to show you how it can be done. This is just one way of doing it.
#This is the file that will be generated with the users account ID and the password generated.
                      [String]$path= ".\NewPass.txt"
                      #This will check if the file exist and will delete that file so a new one can be created from the scratch
                      #If the doesn't exist will through an error saying that the file doesn't exist and will continue.
                      if ($path -ne $null){Remove-Item $path}
                      <# Required Assembly to Generate Passwords #>
                      Add-Type -Assembly System.Web
                      #In my case I created a OU for test purposes here it is.
                      #You need to change it to meet your requirements.
                      #Get the users inside the OU specified in the Options Above
                      $users=Get-ADUser -filter * -SearchBase $OU
                      foreach($Name in $users.samaccountname){
                      #Variable that will receive the random password
                      #The code below will change the password and will set the Option to change the password on the next logon.
                      Set-ADAccountPassword -Identity $Name -Reset -NewPassword (ConvertTo-SecureString -AsPlainText $NewPassword -Force)
                      Get-ADUser -Identity $Name |Set-ADUser -ChangePasswordAtLogon:$true
                      #Here will write the info to the file, so you can communicate to your users the new password.
                      Write-Output "UserID:$name `t Password:$NewPassword" `n`n|FT -AutoSize >>NewPass.txt

Open in new window

  Now we just need to test the Script, open your PowerShell and write the name of your PowerShell file followed by [ENTER], in my case is Random.ps1 and wait until the execution finished. This could take some time, depends of the number of users inside the Organizational Unit (OU).

PS1.JPGIf everything went well, no message is displayed, now you need to open txt file generated by the script and check the usernames and new passwords for the users.
Please note that in my case the defined path to save my files is defined on the beginning of my script like this
[String]$path= ".\NewPass.txt".

That's it. I hope it helps someone.

Next time I'll create a new article with more complex things, to search specific object types, select different  Organizational Units (OUs) and so on.  

Feel free to comment or just to suggest what else you would like to see with PowerShell.



Comments (4)

Instead of using "FT -AutoSize >>NewPass.txt", I'd pipe it into "Export-CSV NewPass.csv -Append "

hello ...
this is very helpful , but the generated password are very heavy ... how can i make the generated passwords alphanumeric with only lowercase and numbers ? and export it to a csv file ?
David Paris VicenteInfrastructure Designer


Hi all,

Thank you all for your comments.
@robert for you to be able to do that with the code above you will need to use regexp, but I believe you can achieve it in a more easy way, check the example below.

In my code I have:

Open in new window

If you change it to:
$NewPassword = -join ((97..122) | Get-Random -Count 10 | % {[char]$_})

Open in new window

This will generate a random char only with lower cases.

If you also want to capital letters you need use the ASCII table to check the value of each char, lets see an example.

$NewPassword = -join ((65..90) + (97..122) | Get-Random -Count 10 | % {[char]$_})

Open in new window

The output will be a random string.

Now if you want to add numbers, you can do it by adding the ASCII value related with numbers. Lets check it.

$NewPassword =  ((0..8) + (65..90) + (97..122) | Get-Random -Count 10 | % {[int32]$_}) 
Foreach($pass in $NewPassword){
 if ($pass -le 8){
    $finalpass+= $pass 
 }else {
 $finalpass+= [char]$pass 
Write-Host $finalpass

Open in new window

I believe this can do the trick, I didn't had to much time to tested it, but I can see that some random passwords could only have letters.

Then you can export it to a csv file piping the  variable $finalpass
$finalpass|Export-CSV c:\NewPass.csv -Append  

Open in new window

With this little code you already have the tools to start tweaking and accomplish your goal.

I hope it helps.



alright i managed to make it generate lowercase letter + letters using ur code and it works perfectly thanks alot ..
i have another question i hope im not being annoying ... the exported csv shows like Capture.PNG ... how can i make it like this Capture2.PNG ... if you notice the users and not consecutive they should be ige1 ige2 ige3 ige4 ige5 etc instead of userID: and password: in every row... plus is there a way to select specific users from that OU ?
your help is much appreciated ...

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.