Recipe 15.6. Setting a User s Password

Recipe 15.6. Setting a User's Password

Problem

You want to set a password for a user.

Solution

Using a graphical user interface

For a local account, do the following:

1. Open the Computer Management snap-in (compmgmt.msc).

2. In the left pane, expand Local Users and Groups and click on Users.

3. In the right pane, right-click the account you want to set and select Set Password.

4. Click Proceed after reading the warning dialog.

5. Enter and confirm the new password.

6. Click OK.

For a domain account, do the following:

1. Open the Active Directory Users and Computers snap-in (dsa.msc).

2. In the left pane, right-click on the domain and select Find.

3. Select the appropriate domain beside In.

4. Type the name of the user beside Name and click Find Now.

5. In the Search Results, right-click on the user and select Reset Password.

6. Enter and confirm the new password.

7. Click OK.

Using a command-line interface

There are several options for setting a password for a user from the command-line. You can use the built-in net user command as shown here:

> net user <UserName> <Password>

For example:

> net user rallen TheBestPassword!

Use the changepw utility from Joeware.net to set either local or domain password. The following command sets the password for a user on the local system:

> changepw /u:<UserName> /p:<Password>

You can also specify a target computer name. The following command sets the password for user rallen on a remote system:

> changepw /s:xp01 /u:rallen /p:TheBestPassword!

To change a user's password in the domain AMER, use the following command:

> changepw /d:AMER /u:rallen /p:TheBestPassword!

You can also use the dsmod utility to change the password for a domain user. Using * after the -pwd option causes you to be prompted you for the new password. You can replace * with the password you want to set, but it is not a good security practice, because other users that are logged into the machine may be able to see it.

> dsmod user <UserDN> -pwd *

For example:

> dsmod user cn=rallen,cn=users,dc=rallencorp,dc=com -pwd *

Using VBScript

' This code sets the password for a local user. ' ------ SCRIPT CONFIGURATION ------ strUserName = "<UserName>"   ' e.g. jsmith strNewPasswd = "<Password>" strComputer = "<ComputerName>" ' ------ END CONFIGURATION --------- set objUser = GetObject("WinNT://" & strComputer & "/" & strUserName) objUser.SetPassword(strNewPasswd) Wscript.Echo "Password set for " & objUser.Name ' This code sets the password for a domain user. ' ------ SCRIPT CONFIGURATION ------ strUserDN = "<UserDN>"   ' e.g. cn=jsmith,cn=Users,dc=rallencorp,dc=com strNewPasswd = "NewPasword" ' ------ END CONFIGURATION --------- set objUser = GetObject("LDAP://" & strUserDN) objUser.SetPassword(strNewPasswd) Wscript.Echo "Password set for " & objUser.Get("cn")

Discussion

The password for a local user is stored in the SAM database and in the unicodePwd attribute for domain accounts. You cannot directly modify that attribute in Active Directory, so you have to use one of the supported APIs. With the VBScript solution you can use the IADsUser::SetPassword method as shown or IADsUser::ChangePassword. The latter requires the existing password to be passed in as a parameter. This is the method you'd want to use if you've created a web page that requires the previous password before allowing a user to change it.

See Also

MS KB 225511 (New Password Change and Conflict Resolution Functionality in Windows), MS KB 264480 (Description of Password-Change Protocols in Windows 2000), MSDN: IADsUser::SetPassword, and MSDN: IADsUser::ChangePassword