How to Change a User Account Password with SetPassword

Guy recommends:
VBScript Training Video on CD

Tutorial for Changing a User Account Password with SetPassword

With VBScript, it is relatively easy to set each user's account to a known password.  You can also configure the account so that once the user authenticates, they must change the known password to a more secure password.  This is a popular script for schools and colleges to run at the start of a year; either for new pupils, or for old lags who have forgotten last term's passwords.

Topics for Changing a User's Password

• Our Mission and Goals
• Example 1 - To Set the User's Password
• VBScript Tutorial - Learning Points for SetPassword
• Example 2 - To Force Users to Change Password at Next Logon
• Summary for Changing Passwords

Our Mission and Goals

Setting the password may be part of a bigger plan, for example, to enable the account and force the user to change their password at next logon.  My mantra is build scripts gradually, one section at a time.  Therefore, once we have mastered the basics in Example 1, we will investigate how to use SetPassword as part of a more powerful VBScript in Example 2.

Example 1 - Script to Change a User's Password

Let us suppose that you want to set the user's account password at next logon.  The heart of the VBScript is a method called .SetPassword.  Applying .SetPassword to the user object has the same effect as setting the password option manually in Active Directory Users and Computers. (.SetInfo is like pressing the OK button)

Prerequisites for SetPassword

You need access and a working knowledge of Active Directory Users and Computers.  Following my theme of keep it simple, I recommend that you log on as administrator, perferably at a domain controller.  Alternatively, connect to the server with Remote Desktop.  If all else fails, you can try these script on an XP machine as a non-administrator, but why introduce extra complications?  Let us start with some easy successes.

Instructions for Changing a User's Password

1. You should run this VBScript on a Windows Active Directory domain.
2. Copy and paste the example script below into notepad or a VBScript editor.
3. Decide whether to change the OU by editing the value for strContainer.  Of course you need test users in the OU referenced by strContainer.
4. Save the file with a .vbs extension, for example: SetPassword .vbs.
5. Double click SetPassword .vbs and check the Users container for strUser.

Sample Script to Change a User's Passwords

VBScript Tutorial - Learning Points for SetPassword

Note 1:  The header section explains the purpose of the script.  Then, I declare three objects, one each for User, OU and DNSDomain.

Note 2:  You probably need to change the strContainer from 'OU=Accounts, " to one of your OUs.  Did you notice the comma at the end of this string?

Note 3:  One of the most important jobs of Active Directory VBScripts is to 'bind' to the domain name.  My technique avoids having to 'hard code' the domain name in the script.  Study how objRootDSE and strDNSDomain combine to extract the LDAP name.  The point is that my technique will work for any domain without having to know the domain name in advance.  This is a huge advantage as I have no idea what you domain is called.

Note 4:  See how the example derives strContainer from the domain name and strOU.

Note 5: Trace how the ObjUser manipulate the password with the special .SetPassword method.  What this does is enter the password just as if you had typed it in the Active Directory Users and Computers interface.  The .SetInfo method is the equivalent of you pressing the OK button on the dialog box.

Note 6:  From a purely scripting point of view, the neat feature is the way that the example cycles through all the accounts in the strContainer.  VBScript controls this by looping with , For Each .... next.

Note 7:  Hardly a script goes by without the need of the If... then end if construction.  For this example, we filter the objects with the, If objUser.Class = "User".  The point is that the OU could also contain computers whose passwords we wish to remain unchanged.

Example 2 - To Force Users to Change Password at Next Logon

This script builds on Example 1, so I recommend you check over the above script before tackling this more advanced example.  As you set the account password, there are two other factors that you may wish to include in the script.  If the account is disabled, you may wish to enable it with userAccountControl = 512.  In addition to setting the password, perhaps you want to force the users to change their password at next logon with PwdLastSet =0.

Sample Script to Force Users to Change Password at Next Logon

VBScript Tutorial - Learning Points

Note 1:  Observe the two VBScript methods .SetPassword and .Put.  Also, see how .SetInfo is rather like pressing the OK button if you were to perform the same task manually at the Active Directory Users and Computers interface.

Note 2:  When testing, I often add WScript.echo commands to confirm what the script has achieved.  Incidentally, this is another reason to declare and apply variables, for example, strContainer and intAccValue.

Summary for Changing a User's Password with SetPassword

There may be more tasks to resetting passwords than you originally thought.  By combining these three methods, you get the best possible control: set the actual password, enable the account and then force the user to change the password at the next logon.  Always bear in mind that these scripting commands mimic what you could do manually at the Active Directory Users and Computers snap-in.

Guy Thomas recommends Computer Training Software. 

Their topics and material are ideal for getting you started with VBScript.  The videos are easy to follow and you can control the pace.  Try their free demo material and then see if you want to buy the full package. See more about VB Script Training CD.

See Also

● Force Change of password PwdLastSet       ● userAccountControl to enable accounts