Reset AD User Password using PowerShell Issue

Question

I was checking the way to reset the password of an AD user using PowerShell and I found Set-ADAccountPassword it is working however I am not sure how would I use this in my environment.

I have a forest with many sub-domains: example.local as primary domain and x.example.local , y.example.com and z.example.com as the sub-domain.

What I am trying to achieve is an ability to reset the password of an account of a sub-domain, from a server residing in the parent domain For now, below things are working for me.

If running from server residing in Sub-domain x.example.local :

Set-ADAccountPassword -Identity "John.Doe" -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "ABCD1234" -Force)

Working from anywhere within the forest:

Set-ADAccountPassword -Identity "CN=Doe, John X.,OU=b,OU=a,DC=x,DC=example,DC=local" -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "ABCD1234" -Force)

What I actually need is a ability to put Windows user logon name in the script something like below from a server parent domain ie example.local , which doesn't work by the way.

Set-ADAccountPassword -Identity "CN=John.Doe,OU=b,OU=a,DC=x,DC=example,DC=local" -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "ABCD1234" -Force)

How can I achieve this?

Answer 1

I find the PowerShell cmdlets for AD are kind of stupid in environments with multiple domains. They can't figure out trusted domains. You have to explicitly point them at the domain. You do that with the -Server parameter, where you give it the fully-qualified domain name (or a specific DC if you want).

So in your case, that would mean:

Set-ADAccountPassword -Server x.example.local -Identity "CN=John.Doe,OU=b,OU=a,DC=x,DC=example,DC=local" -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "ABCD1234" -Force)

Answer 2

I think there is some confusion in the other answers, and I hope to set them right.

If I understand your question, you want to use the Sam Account name instead of the DN for the user.

Try this.

Set-ADAccountPassword -Identity "Jdoe" -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "ABCD1234" -Force)

with JDOE being John Doe's login ID. If you want to do this in a different domain, add the -server option. For the childdomain.MyDomain.local domain, do it as such:

Set-ADAccountPassword -Identity "Jdoe" -Reset -server ChilDomain.MyDomain.Local -NewPassword (ConvertTo-SecureString -AsPlainText "ABCD1234" -Force)

Unlike one of the comments made, just because you have a trust, doesn't mean you will have permissions to change passwords in the target domain.

Your AD account that your running this process in will need to have that permission, either by membership in the other domain's local administrators group on the DC, or by specifically being added to AD in the other domain via policy (or directly applied to the OU in the user is in, etc), or member of enterprise admins.

You, of course, can use the CN for the user in the other domain, but keep in mind, the CN will be different between each domain.