Powershell – Reset AD expired password with user credentials using a PowerShell script

active-directorypowershell

there!

I am new to Powershell and I need some help with this script.

I have just began to work helping our sysadmin with some tasks inside a Windows Server 2008 R2 AD Domain environment. I am trying to write a simple PowerShell script that allow the user to reset her own expired passwords, but it isn't working. This is the script:

$usuario = Read-Host "Introduzca el nombre de usuario";
$antigua = Read-Host "Introduzca la contraseƱa antigua" -AsSecureString;
$nueva = Read-Host "Introduzca la nueva contraseƱa" -AsSecureString;
Set-ADAccountPassword $usuario -Credential $usuario -OldPassword $antigua -NewPassword $nueva -Reset -Server <<ADServerName>>;

After execution, I get the following result:

  • ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : PermissionDenied: ({user}:ADAccount) [Set-ADAccountPassword], UnauthorizedAccessException
    • FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.UnauthorizedAccessException,Microsoft.ActiveDirectory.Management
      .Commands.SetADAccountPassword

The user trying to reset her own password has no kind of admin permissions.

I don't know what is wrong with this, but I am sure that I am bypassing some PowerShell and/or AD fundamentals.

Thanks in advance for the help.

Enrique

Best Answer

The script is now working, with two little modifications:

  • Adding "-Identity" before the first variable $usuario
  • Setting the permission "Reset Password" of the "SELF" object in the "Security" section of the user properties.
Related Topic