Windows – How to a standard Windows user change their password from the command line

passwordpowershellwindows

On Windows Server 2008 R2, I have a standard (non-administrator) local user (not an Active Directory account, though the server is in a domain) who has access to the server only via PowerShell Remoting. The user cannot login via RDP.

I would like this user to be able to change their password. The 'net user' command requires administrator rights, even if the user is trying to change their own password.

How can a standard user change their password from the command line?

Best Answer

Here's some PowerShell code to do what you're looking for with domain accounts:

param (
    [string]$oldPassword = $( Read-Host "Old password"),
    [string]$newPassword = $( Read-Host "New password")
)

$ADSystemInfo = New-Object -ComObject ADSystemInfo
$type = $ADSystemInfo.GetType()
$user = [ADSI] "LDAP://$($type.InvokeMember('UserName', 'GetProperty', $null, $ADSystemInfo, $null))"
$user.ChangePassword( $oldPassword, $newPassword)

The ASDI provider also supports the syntax WinNT://computername/username for the ChangePassword() method. The ADSystemInfo object, however, won't work for machine-local accounts, so just retrofitting the code above with WinNT://... syntax isn't workable.

(Anybody want to suggest an edit w/ code to differentiate between local and domain accounts?)

On a completely different tack, the old NetUserChangePassword API will work with local (and domain, provided you specify the domain name in NetBIOS syntax) accounts, too:

param (
    [string]$oldPassword = $( Read-Host "Old password"),
    [string]$newPassword = $( Read-Host "New password")
)

$MethodDefinition = @'
[DllImport("netapi32.dll", CharSet = CharSet.Unicode)]
public static extern bool NetUserChangePassword(string domainname, string username, string oldPassword, string newPassword);
'@

$NetAPI32 = Add-Type -MemberDefinition $MethodDefinition -Name 'NetAPI32' -Namespace 'Win32' -PassThru

$NetAPI32::NetUserChangePassword('.', $env:username, $oldPassword, $newPassword)

This code assumes you're changing a password on the local machine (".").

Related Solutions

Windows – Useful Command-line Commands on Windows

A little known one is

getmac

It shows the MAC address(es) of your network adapter(s).

Screenshot of running getmac from a Windows commandline window.

Windows – Unlock Windows AD account & assign temporary password via command line

The binary 'dsmod' (comes with Win7 and Vista, and somewhere along the way XP got them too) should do what you want.

dsmod user UserDN -pwd $Password -mustchpwd yes

It can do a lot more as well! Very useful tool.

There are a couple of other tools along side that one that are quite useful as well. dsquery searches AD from command-line. dsget pulls attributes from objects. dsadd allows creating objects (and users!). Definitely worth a look for any scripter.

Best Answer

Related Solutions

Windows – Useful Command-line Commands on Windows

Windows – Unlock Windows AD account & assign *temporary* password via command line

Related Topic

Windows – Unlock Windows AD account & assign temporary password via command line