oreilly.comSafari Books Online.Conferences.


AddThis Social Bookmark Button
Windows Server Hacks

Windows Server Hacks: Resetting User Passwords

by Mitch Tulloch, author of Windows Server Hacks

Resetting passwords is a common task for Windows administrators, and while doing it from the command line can save time there are some things to watch out for.

In an Active Directory environment the usual way of resetting user passwords is to use the GUI. Just open the Active Directory Users and Computers (ADUC) console, expand the console tree to select the organizational unit (OU) where the user's account resides, right-click on the user's account, and select Reset Password. Type the new password twice, click OK, and you're done. For example, Figure 1 shows an administrators resetting the password for user Jane Doe whose account resides in the Boston OU of the testdomain.local domain.

Figure 1
Figure 1. Resetting passwords using Active Directory Users and Computers.


It would be nice to be able to do this from the command line so you could script batch password changes if required. It turns out Windows Server 2003 lets you do this using the new dsmod command-line utility included with that platform. The syntax for using this command to reset a password is:

dsmod user user_DN -pwd new_password

In this case user_DN is the distinguished name (DN) of the user account. In the example above the DN for Jane Doe would be:

CN=Jane Doe,OU=Boston,DC=testdomain,DC=local

Figure 2 shows an administrator resetting Jane's password to "password" using dsmod:

Figure 2
Figure 2. Resetting a password using the dsmod command.

Note that the user's DN needs to be enclosed in quotes because of the space in the user's full name.

A more common approach to resetting a user's password is for the administrator to first change it to "password" and then force the user to change this password to something else the next time she logs on. This is easily accomplished by the following command:

dsmod user "CN=Jane Doe,OU=Boston,DC=testdomain,DC=local" -pwd password -mustchpwd yes

This can be tricky, though. First, if the user's account currently has the "User cannot change password" setting enabled (see Figure 3) then running the above command will generate an error:

dsmod failed:CN=Jane Doe,OU=Boston,DC=testdomain,DC=local:Cannot set 
    "must change password" and "cannot change password" for the same user.

More confusing, though, is when the "Password never expires" setting is enabled for the account. In this case, the user's password will indeed be reset by dsmod, but the "User must change password at next logon" setting will not be enabled. This means the user can log on using "password" and go on using this as her password, which is obviously not desirable from a security point-of-view.

Figure 3
Figure 3. The account is configured so that the user cannot change her password.

You might think that you could kill these two issues with one stone:

dsmod user "CN=Jane Doe,OU=Boston,DC=testdomain,DC=local" 
   -pwd password -mustchpwd yes -canchpwd yes -pwdneverexpires no

This command should disable the "User cannot change password" setting (using -canchpwd yes) and disable the "Password never expires" setting (using -pwdneverexpires no). Right?

Wrong! The same error as before is generated, as dsmod is not smart enough to realize you want to disable the "User cannot change password" setting before you want to enable the "User must change password at next logon" setting. A workaround is to run dsmod twice:

dsmod user "CN=Jane Doe,OU=Boston,DC=testdomain,DC=local" -canchpwd yes -pwdneverexpires no
dsmod user "CN=Jane Doe,OU=Boston,DC=testdomain,DC=local" -pwd password -mustchpwd yes 

Or you could run it using a simple batch file, like this:

@echo off
set /p DN=Enter distinguished name of user in quotes:
set /p PWD=Enter new password for user:
dsmod user %DN% -canchpwd yes -pwdneverexpires no
dsmod user %DN% -pwd %PWD% -mustchpwd yes

Related Reading

Windows Server Hacks
100 Industrial-Strength Tips & Tools
By Mitch Tulloch

Despite its quirks (and there are many) dsmod is a powerful tool for modifying the attributes of objects in Active Directory. The command is available on Windows Server 2003 and Windows XP and you can view its syntax online for more information.

What if your network is running the Windows 2000 version of Active Directory instead of Windows Server 2003? If you have Service Pack 3 or later installed on your Windows 2000 domain controllers, you're in luck, as this enables LDAP traffic with Active Directory to be signed and encrypted. This is required because dsmod, like other Windows Server 2003 administrative tools (both GUI and command-line), encrypt and sign LDAP traffic as a security measure to make such traffic unreadable to network sniffers. Once you have SP3 installed on your Windows 2000 domain controllers you can then install the Windows Server 2003 Administration Tools Pack (adminpak.msi) on a Windows XP Professional machine (with Service Pack 1) and run dsmod from that machine.


But what if you have a pure Windows 2000 network with no Windows XP or Windows Server 2003 machines and you want to keep using the older Windows 2000 Administration Tools Pack? In this case you don't have dsmod available as a command, but with a little hacking ingenuity you can use the LDIFDE command instead to change user passwords.

LDIFDE is a command-line tool that can be used to create, modify, or delete objects in Active Directory. LDIFDE is based on the LDAP Data Interchange Format (LDIF) defined in RFC 2849 and is mainly intended for batch operations such as importing data to or exporting it from Active Directory, see KB 237677 for its detailed syntax.

While LDIFDE cannot export passwords for user accounts, it can import them. The difficulty is that the attribute (unicodePwd) used to store the password for a user object is both Unicode format and base-64 encoded. So the first thing you have to do is to transform the user's new password from plain text into base-64 encoded Unicode text.

To do this you can use a sweet little utility created by Guillaume Bordier called StringConverter. Guillaume also has a number of other tools he's developed for Windows administrators, so be sure to check them out as well.

Anyway, start by downloading StringConverter.exe to a folder on your system path and then open a command prompt and type the following:

stringconverter \"New_Password\" /encode /unicode

New_Password is the new password you want to assign the user. Note that \" occurs before and after the password -- that's because the value for unicodePwd is enclosed in quotes in Active Directory. As an example, Figure 4 shows the utility being used to convert the string "password" (without the quotes) into base-64 encoded Unicode text:

Figure 4
Figure 4. Converting the ASCII string "password" into base-64 encoded Unicode text.

Next, use Notepad to create an LDIF file for resetting Jane Doe's password, as follows:

dn: CN=Jane Doe,OU=Boston,DC=testdomain,DC=local
changetype: modify
replace: unicodePwd

How to Use LDIFDE Commands

If you want to learn more about using LDIFDE, check out this eBook by Guy Thomas, a trainer and consultant in the UK. Guy also has some other eBooks helpful for Windows administrators, and they're all reasonably priced.

Save this file in the current directory as ChangePwd.ldif or something similar. Note the dash on a line by itself and also the final blank line at the end of the text file.

Before you can run the ldifde command however, you need to enable SSL over LDAP communications with your Windows 2000 domain controllers (this is required if you want to reset passwords using ldifde).

First, make sure both the client (your administrator workstation) and your domain controller have the Windows 2000 High Encryption Pack installed on them.

Then install an Enterprise Certificate Authority on a Windows 2000 server in your forest. Your domain controllers will then automatically enroll themselves with your Enterprise CA and download and install a server certificate for themselves. Once this happens, your domain controllers will be able to service LDAP requests on the SSL over LDAP port (636) in addition to the normal LDAP port (389).

Once this is done, open a command prompt and type the following command to reset Jane's password to "password":

ldifde -i -f ChangePwd.ldif -t 636 -s dcname

Here dcname is the name of the domain controller you are binding to. For more information see KB 263991 and 247078.

Using VBScript

Finally, you can easily reset passwords using VBScript, as follows:

strUser = InputBox("Enter full name of user") 
strOU = InputBox("Enter OU where user's account resides")
Set objUser = GetObject("LDAP://CN=" & strUser & ",OU=" & strOU & ",DC=testdomain,DC=local")
objUser.SetPassword "password"
MsgBox "Done!"

Type this into Notepad with Word Wrap disabled and save it in your system path as ChangePwd.vbs. Now to reset a user's password simply open a command prompt, type ChangePwd.vbs, enter the user's name (Jane Doe) and OU (Boston) in the input boxes that appear, and you're done. If you know some VBScript you can easily customize this script to do other things like set the user's password options as well. And if you prefer you can create a shortcut to ChangePwd.vbs on your desktop and simply double-click on it to reset a user's password.

Mitch Tulloch is the author of Windows 2000 Administration in a Nutshell, Windows Server 2003 in a Nutshell, and Windows Server Hacks.

Return to