Ways To Reset Active Directory Password | ADSelfService Plus

How to reset user password in Active Directory (ADUC, PowerShell, and Dsmod)

When Active Directory users forget their domain passwords or let their passwords expire, it becomes the admins’ responsibility to reset users' passwords. Password-related help desk tickets are still one of the most common requests, which is why knowing how to reset passwords in Active Directory quickly and securely is crucial.

There are multiple methods admins can use to reset an AD user’s password, such as:

• Active Directory Users and Computers (ADUC) console
• Dsmod command-line tool
• PowerShell script
• Self-service password reset with ADSelfService Plus

In this article, we’ll look at how each of these methods work and which one is best suited for your environment.

Active Directory password reset best practices

• Require identity verification with MFA: Confirm personal details and strengthen the process with multi-factor authentication, such as OTPs, push notifications, or biometrics.
• Enforce strong password policies: Block weak, common, or reused passwords and guide users with real-time strength checks.
• Clear session data after reset: Automatically log out idle sessions so that authenticated password reset sessions aren't misused.
• Provide confirmation notification: Send clear notifications for successful password reset to alert users of any suspicious activity.
• Validate password strength in real-time: Provide immediate feedback during password creation to help users create stronger passwords.
• Log password reset attempts: Audit all password reset requests for security monitoring, compliance, and quick detection of suspicious activity.

Prerequisite

No matter which method you use to reset user password in Active Directory, you must have sufficient permissions. You should either be part of the Domain Admins group or at least a member of the Account Operators group.

If you’re delegating the reset task to help desk technicians, use the OU delegation feature in AD to assign reset password permissions securely.

Resetting Active Directory user passwords through ADUC Console

If you don’t have direct access to the domain controller, install the Remote Server Administration Tools and enable the ADUC snap-in from Microsoft Management Console.

Steps to reset user password in Active Directory using ADUC:

1. Log in to a domain-connected computer.
2. Open the Active Directory Users and Computers (ADUC) console.
3. Locate the user account, right-click, and select Reset Password.
4. Type and confirm the new password.

ADUC also allows you to reset multiple user passwords, but only for accounts within the same organizational unit (OU).

Resetting Active Directory passwords using Dsmod command line

The Dsmod command-line tool (available from Windows Server 2003–2012) can modify AD objects, including passwords. It is supported if you have the Active Directory Domain Services server role installed. Although, PowerShell has replaced Dsmod, it is still a great tool for modifying user account properties including resetting passwords.

To use Dsmod, you must run the Dsmod command from an elevated Command Prompt. To open an elevated Command Prompt, click Start, right-click Command Prompt, and then click Run as administrator.

Sample command to reset user passwords in Active Directory:

dsmod user "CN=John Doe,CN=Users,DC=mydomain,DC=com" -pwd A1b2C3d4 -mustchpwd yes

While this command is effective, Dsmod requires the Distinguished Name of the user and doesn’t accept sAMAccountName. Resetting multiple accounts this way is often complex and error-prone.

Resetting Active Directory passwords using PowerShell

PowerShell is widely used to automate AD management. When employing PowerShell to reset Active Directory password, use the Set-ADAccountPassword cmdlet.

Sample command to change Active Directory password in PowerShell:

Set-ADAccountPassword –Identity JohnDoe –Reset –NewPassword (ConvertTo-SecureString -AsPlainText "NewPassword123!" -Force)

This cmdlet supports sAMAccountName, Distinguished Name, and GUID, making it more flexible than Dsmod. However, if you need to reset passwords in Active Directory for multiple users, scripts can quickly become complex.

Resetting Active Directory passwords using ADSelfService Plus

ManageEngine ADSelfService Plus, a unified SSPR, MFA, and SSO solution, empowers end users to reset passwords in Active Directory on their own. It employs secure multi-factor authentication methods, such as YubiKey Authenticator, Google Authenticator, and biometric authentication, to verify users’ identities before allowing them to reset passwords. Additionally:

• Users can reset their Active Directory passwords right from the login screen of their Windows, Linux, and macOS machines, as well as through their mobile devices using the ADSelfService Plus Android and iOS apps.
• Self-service password reset and account unlock can be enabled for all the users in the domain or for specific users by creating OU and group-based policies.
• Passwords can be checked for complexity and compliance through the built-in password policy enforcer feature, which contains dictionary rule, pattern checker, and other complexity settings that are missing in Active Directory's domain password policy.

To enable self-service password reset for Active Directory users using ADSelfService Plus:

1. Download and install ADSelfService Plus. Log in using adminstrative credentials.
2. Go to Configuration > Self-Service > Policy Configuration.
3. Select the Reset Password checkbox. Then, click Select OUs/Groups to select the users to whom you want to enable this feature.
4. Click Save Policy.
5. In the LHS, click Multi-Factor Authentication.
6. Set up the necessary multi-factor authentication methods.
7. Based on the methods you choose, users may need to provide the information required for that method to enroll. Go to Configuration > Administrative Tools > Quick Enrollment. You can automatically enroll users, send them a notification, or force them to enroll.

That’s it! Once users are enrolled, they can reset their passwords, without contacting the help desk.

Change Active Directory password using ADSelfService Plus

ADSelfService Plus provides a simple, secure way for users to change Active Directory passwords without relying on the help desk. This is ideal when users know their current password and only need to update it before expiry.

How to change a password in Active Directory using ADSelfService Plus

1. Sign in to the ADSelfService Plus end-user portal by completing the MFA flow.
2. Go to Change Password.
3. Enter your current Active Directory password and then the new password that meets the configured password policy.
4. Submit the updated password to change your Active Directory password change instantly.

This method provides a secure, web-based alternative to changing passwords through Ctrl+Alt+Del, making it the easiest way to change Active Directory password from any browser or device.

Benefits of changing Active Directory Passwords via ADSelfService Plus

• Anytime, anywhere access: Users can perform an Active Directory change password operation from any browser or device.
• Reduces help desk load: Eliminates routine password-change tickets.
• Stronger security: The MFA-protected Active Directory password change portal and the custom password policies reduce risk.
• Remote-user friendly: This solution updates cached credentials so remote employees can sign in without VPN issues.
• Compliance-ready: Enforces password complexity, history, and custom rules across all change Active Directory password actions.