Skip navigation

Category Archives: Windows Server

So you’ve got a lot of users in your Active Directory domain whose passwords you need to change for whatever reason, but Windows is all just pointy-clicky, right? Wouldn’t it be better to just be able to use a nice unix-like terminal?

This is where I admit that I didn’t know a whole lot about Microsoft’s Powershell this time last year.

What is Powershell? Well, it’s kinda like the terminal you get on your nice *nix machine, except it’s built to manage Windows Server roles.

And it kinda works like a *nix terminal. You can pipe the output of one command into another command.

You can’t use awk or sed, which I find to be a drag, but.

So getting back to the problem presented at the outset of this post, yes, you can kinda use your *nix-brain to make this happen.

When I started researching this issue, all my searches pretty much ended with scripts that other folks had written, which is fine, except they were usually not known-good for the version of Server that I’m using and I couldn’t be arsed to loosen security settings such that I could import those scripts.

So, if you’re in this boat (or just want to know how the sausage gets made), here it is: How to Change AD Passwords in Bulk

First you need to prep your source material: a CSV file of, at minimum, AD usernames and new passwords. The important part in formatting this CSV is getting the correct headers in so that Powershell can read them and do the right things. If you’re only updating passwords, your CSV should look like this

SamAccountName,Password
test1,newP@ssword
test2,Newpa$sword
test3,n3wpassw0rd

Once you have your CSV, drop it somewhere where your Server box can access it, then log in to your server, open Powershell, and run the following command:

import-csv [F:\path\to\your.csv] | ForEach-Object {Get-ADUser -Filter "SamAccountName -eq `"$($_.SamAccountName)`"" | Set-ADAccountPassword -NewPassword (ConvertTo-SecureString $_.Password -AsPlainText -Force)}

That’s just great, you say, but actually I also wanted to associate an email address with those users, too. Can I do that in the same line?

Sure you can! Just add a column headed with “Email” to your CSV and populate as necessary, then, before closing the braces in the above command, just add

-PassThru | Set-ADUser -EmailAddress $_.Email

The -PassThru flag indicates that you want to pipe the object through to the next Powershell commandlet, and as such, it can be repeated as much as you like.

Is it a bit of a drag to type all that? You bet it is, but Powershell does have robust tab-completion, and really, how often are you going to have to reset a huge number of passwords?

Advertisements