Force all user passwords to be changed

I find this one quite useful when customers experience a security breach, and they request that all users are forced to update their passwords. Other accounts can be added to the filter in the where cause if needed (or of course you’ve renamed your administrator account etc).


import-module activedirectory

get-aduser -filter * |
where {$_.samaccountname -ne "Administrator" } |
set-aduser -passwordneverexpires:$False `
-changepasswordatlogon:$true

Automated Password Reset/Change – PowerShell

I’ve had a need to reset password’s for accounts on an automated basis more so recently than before, so not knowing where to start, I took a look around the internet and found some pieces of code here and there that would start to fulfill my needs.

Basically, I was setting up an 802.11x authenticated wireless network, and had a requirement to automate the password change of a RADIUS authenticated Guest account that was sat in a locked down OU in the domain. This then needed to be random, secure and e-mailed to a public folder so that the employees could give their guests access to the guest network. The script just needs to be added to a scheduled task to run monthly. So I eventually ended up with this:

import-module activedirectory

[int] $len = 12
[string] $chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
$bytes = new-object "System.Byte[]" $len
$rng = new-object System.Security.Cryptography.RNGCryptoServiceProvider
$rng.GetBytes($bytes)
$result = ""
for( $i=0; $i -lt $len; $i++ )
{
$result += $chars[ $bytes[$i] % $chars.Length ] 
}
$result

$securestring = ConvertTo-securestring $result -asplaintext -force

get-aduser "GuestUserName" | set-adaccountpassword -newpassword $securestring

$month= get-date -format MMMM

###Sets the mail values
$FromAddress = "Wireless_Guest@some-domain.com"
$ToAddress = "public-folder@some-domain.com"
$MessageSubject = "New Wireless Guest Details for $month"
$MessageBody = "Username: GuestUserName          Password: $result"
$SendingServer = "my.mail-relay.com"

###Create the mail message and add the statistics text file as an attachment
$SMTPMessage = New-Object System.Net.Mail.MailMessage $FromAddress, $ToAddress, $MessageSubject, $MessageBody

###Send the message
$SMTPClient = New-Object System.Net.Mail.SMTPClient $SendingServer
$SMTPClient.Send($SMTPMessage)

In short:

Line 3: Specifies the number of characters in the generated password.
Line 4: The characters that can be used to generate the password.
Line 17: Reset’s the password on the AD account.
Line 19: Generates the month in long format to add to the e-mail Subject.
Line 22-26: Variables used for sending the e-mail.
Line 29: Generates the e-mail.
Lines 32 & 33: Sends the e-mail.