--- Sjoerd Hooft's InFormation Technology ---

User Tools

Site Tools



Recently Changed Pages:

View All Pages

View All Tags

WIKI Disclaimer: As with most other things on the Internet, the content on this wiki is not supported. It was contributed by me and is published “as is”. It has worked for me, and might work for you.
Also note that any view or statement expressed anywhere on this site are strictly mine and not the opinions or views of my employer.

Pages with comments

2019/11/18 13:52 1 Comment

View All Comments


Change Expired AD Password

I often have multiple accounts to keep track of, with various password policies. Sometimes a password just expires and I don't want to bother support staff to reset it to a temporary password which I have to reset then again. It's a lot of hassle. To prevent that, I became a big fan of the PowerShell function below. All credits go to Evotec, but I've used it a lot. If you're on a personal system, you could just simply do:

Install-Module PSSharedGoods -Force 

But if you're on a server system without internet access or do not want to install form unknown sources you could simply paste the function into your powershell session and then run the function:

function Set-PasswordRemotely {
    [CmdletBinding(DefaultParameterSetName = 'Secure')]
        [Parameter(ParameterSetName = 'Secure', Mandatory)][string] $UserName,
        [Parameter(ParameterSetName = 'Secure', Mandatory)][securestring] $OldPassword,
        [Parameter(ParameterSetName = 'Secure', Mandatory)][securestring] $NewPassword,
        [Parameter(ParameterSetName = 'Secure')][alias('DC', 'Server', 'ComputerName')][string] $DomainController
    Begin {
        $DllImport = @'
[DllImport("netapi32.dll", CharSet = CharSet.Unicode)]
public static extern bool NetUserChangePassword(string domain, string username, string oldpassword, string newpassword);
        $NetApi32 = Add-Type -MemberDefinition $DllImport -Name 'NetApi32' -Namespace 'Win32' -PassThru
        if (-not $DomainController) {
            if ($env:computername -eq $env:userdomain) {
                # not joined to domain, lets prompt for DC
                $DomainController = Read-Host -Prompt 'Domain Controller DNS name or IP Address'
            } else {
                $Domain = $Env:USERDNSDOMAIN
                $Context = [System.DirectoryServices.ActiveDirectory.DirectoryContext]::new([System.DirectoryServices.ActiveDirectory.DirectoryContextType]::Domain, $Domain)
                $DomainController = ([System.DirectoryServices.ActiveDirectory.DomainController]::FindOne($Context)).Name
    Process {
        if ($DomainController -and $OldPassword -and $NewPassword -and $UserName) {
            $OldPasswordPlain = [System.Net.NetworkCredential]::new([string]::Empty, $OldPassword).Password
            $NewPasswordPlain = [System.Net.NetworkCredential]::new([string]::Empty, $NewPassword).Password
            $result = $NetApi32::NetUserChangePassword($DomainController, $UserName, $OldPasswordPlain, $NewPasswordPlain)
            if ($result) {
                Write-Host -Object "Set-PasswordRemotely - Password change for account $UserName failed on $DomainController. Please try again." -ForegroundColor Red
            } else {
                Write-Host -Object "Set-PasswordRemotely - Password change for account $UserName succeeded on $DomainController." -ForegroundColor Cyan
        } else {
            Write-Warning "Set-PasswordRemotely - Password change for account failed. All parameters are required. "



Enter your comment. Wiki syntax is allowed:
changeexpiredpassword.txt · Last modified: 2021/01/29 16:21 by sjoerd