Recipe 15.6. Setting a User's PasswordProblemYou want to set a password for a user. SolutionUsing a graphical user interfaceFor a local account, do the following:
For a domain account, do the following:
Using a command-line interfaceThere are several options for setting a password for a user from the command-line. You can use the built-in net user command as shown here: > net user <UserName> <Password> For example: > net user rallen TheBestPassword! Use the changepw utility from Joeware.net to set either local or domain password. The following command sets the password for a user on the local system: > changepw /u:<UserName> /p:<Password> You can also specify a target computer name. The following command sets the password for user rallen on a remote system: > changepw /s:xp01 /u:rallen /p:TheBestPassword! To change a user's password in the domain AMER, use the following command: > changepw /d:AMER /u:rallen /p:TheBestPassword! You can also use the dsmod utility to change the password for a domain user. Using * after the -pwd option causes you to be prompted you for the new password. You can replace * with the password you want to set, but it is not a good security practice, because other users that are logged into the machine may be able to see it. > dsmod user <UserDN> -pwd * For example: > dsmod user cn=rallen,cn=users,dc=rallencorp,dc=com -pwd * Using VBScript' This code sets the password for a local user. ' ------ SCRIPT CONFIGURATION ------ strUserName = "<UserName>" ' e.g. jsmith strNewPasswd = "<Password>" strComputer = "<ComputerName>" ' ------ END CONFIGURATION --------- set objUser = GetObject("WinNT://" & strComputer & "/" & strUserName) objUser.SetPassword(strNewPasswd) Wscript.Echo "Password set for " & objUser.Name ' This code sets the password for a domain user. ' ------ SCRIPT CONFIGURATION ------ strUserDN = "<UserDN>" ' e.g. cn=jsmith,cn=Users,dc=rallencorp,dc=com strNewPasswd = "NewPasword" ' ------ END CONFIGURATION --------- set objUser = GetObject("LDAP://" & strUserDN) objUser.SetPassword(strNewPasswd) Wscript.Echo "Password set for " & objUser.Get("cn") DiscussionThe password for a local user is stored in the SAM database and in the unicodePwd attribute for domain accounts. You cannot directly modify that attribute in Active Directory, so you have to use one of the supported APIs. With the VBScript solution you can use the IADsUser::SetPassword method as shown or IADsUser::ChangePassword. The latter requires the existing password to be passed in as a parameter. This is the method you'd want to use if you've created a web page that requires the previous password before allowing a user to change it. See AlsoMS KB 225511 (New Password Change and Conflict Resolution Functionality in Windows), MS KB 264480 (Description of Password-Change Protocols in Windows 2000), MSDN: IADsUser::SetPassword, and MSDN: IADsUser::ChangePassword |