I have a requirement that allows a user to reset their password to what they would like. However, when doing it through Powershell Set-ADAccountPassword
function and using the reset parameter, it doesn't enforce the password history. So using the function would allow the user to reset it to a previous password. Am I missing something here or is there a way I can enforce the password history during a reset?
Active Directory – Enforce Password History on Password Reset
active-directorypowershell
Related Topic
- PowerShell – Test User Credentials in AD with Password Reset
- Reset users password in Active Directory by Domain Admin account or other service account
- Powershell – Reset AD expired password with user credentials using a PowerShell script
- Active Directory – Why Password Resets Ignore Password History Count Rule
- Active Directory password change: Re-Allow current password
Best Answer
That is the expected behavior for -Reset.
First reset the password to a random value using parameters -NewPassword and -Reset.
Then run Set-ADAccountPassword again and specify -OldPassword [the random password] -NewPassword [the new password they entered], without the -Reset parameter. That will enforce the password age, history, complexity, and length.