Thursday, May 30, 2013

Powershell – Bulk User Password Resets

This PowerShell script is used to reset Password for bulk users in a domain. This will prompt to change the password at logon.


1. Save the below script as SetBulkPassword.ps1 under c:\temp.

# import the AD module
if (-not (Get-Module ActiveDirectory)){
    Import-Module ActiveDirectory -ErrorAction Stop           
# set new default password
$password = ConvertTo-SecureString -AsPlainText "Password01" -Force 
# get list of account names (1 per line)
$list = Get-Content -Path c:\Temp\users.txt
# loop through the list
ForEach ($u in $list) {
    if ( -not (Get-ADUser -LDAPFilter "(sAMAccountName=$u)")) {
        Write-Host "Can't find $u"
    else {
        $user = Get-ADUser -Identity $u
        $user | Set-ADAccountPassword -NewPassword $password -Reset
        $user | Set-AdUser -ChangePasswordAtLogon $true
        Write-Output "changed password for $u" | Out-File -append c:\ temp\ResetPwdLog.txt

2. Create a file users.txt under c:\temp and store the usernames for which the password is required to be reset. The usernames should be the domain login IDs.

3. Open PowerShell with admin privileges and set the execution policy to unrestricted.

4. Execute the script in below format in order to log the error generated.

   powershell.exe -noprofile -file c:\temp\SetBulkPassword.ps1 > C:\temp\ErrorLog.txt

5. Once execution is complete, two Log files will be generated under C:\temp i.e ResetPwdLog.txt and Errorlog.txt

ResetPwdLog.txt : Will log the details of the users for which password reset has been completed successfully.
ErrorLog.txt : This will store the errors generated while script execution.

Hope it helps :)


  1. Hi Kumari,
    The script errors, I am new to powershell, could you help me please? The script is just what I need.
    many thanks
    Set-ADAccountPassword : Cannot validate argument on parameter 'Identity'. The argument is null. Supply a non-null argument and try the command again.
    At line:1 char:208
    + ... assword -Reset $user | Set-AdUser -ChangePasswordAtLogon $true Write-Output "cha ...
    + ~~~~~
    + CategoryInfo : InvalidData: (:) [Set-ADAccountPassword], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.SetADAccountPassword

    Get-ADUser : The search filter cannot be recognized
    At line:1 char:35
    + ForEach ($u in $list) {if ( -not (Get-ADUser -LDAPFilter "(sAMAccountName=$u)")) ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Get-ADUser], ADException
    + FullyQualifiedErrorId : ActiveDirectoryServer:8254,Microsoft.ActiveDirectory.Management.Commands.GetADUser

    1. Hey! Great to know that you found it helpful. Do you have your input file "users.txt" under C:\temp.. With the AD users name and the name should be in the format of the AD user attribute sAMAccountName.. One value per line.

  2. Hi Kumari,
    the script lines I am using are as shown. The users.txt file is in the location in the script

    Import-Module ActiveDirectory
    $password = ConvertTo-SecureString -AsPlainText “AwesomeP@ssw0rd” -Force
    $users = Get-Content -Path c:\q\pwstuff\Users.txt
    ForEach ($user in $users) {Get-ADUser $user | Set-ADAccountPassword -NewPassword $password -Reset}



    1. Hi Sophie,

      i hope that the file c:\q\pwstuff\Users.txt has all the AD user name in he format of the AD user attribute sAMAccountName.

      Also, for the below statement
      ForEach ($user in $users) {Get-ADUser $user | Set-ADAccountPassword -NewPassword $password -Reset}

      Could you please replace the same with

      ForEach ($user in $users) {Get-ADUser -Identity $user | Set-ADAccountPassword -NewPassword $password -Reset}

  3. This comment has been removed by the author.