I triyng to reset a password using this code:
Set-ADAccountPassword -Identity <username> -Reset -NewPassword (ConvertTo-SecureString -AsPlainText 'N3WP#SS' -Force)
But it uses the credentials of the logged user to execute this action. How do I specify other user to perform this action using
-Credential?
If you are trying to specify other user :
PSCredential Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory module for Windows PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default.
To specify this parameter, you can type a user name, such as User1 or Domain01\User01 or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password.
You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object.
Prompt a specified user to change their password.
Use this command below :
Set-ADAccountPassword -Identity TestName
Please enter the current password for 'CN=Evan Narvaez,CN=Users,DC=Fabrikam,DC=com'
Password:**********
Please enter the desired password for 'CN=Evan Narvaez,CN=Users,DC=Fabrikam,DC=com'
Password:***********
Repeat Password:***********
Set a password for a user account using a distinguished name :
Set-ADAccountPassword -Identity 'CN=Elisa
Daugherty,OU=Accounts,DC=Fabrikam,DC=com' -Reset -NewPassword
(ConvertTo-SecureString -AsPlainText "p#ssw0rd" -Force)
Please take a look at this doc for more reference : Ser-ADAccountPassword
Related
I have used the Start-Transcript command in my PowerShell profile. This is very useful for me to review the console output of my scripts at a later point in time when required. However, at times I also directly run some commands that include a ClearText password like the Set-ADAccountPassword cmdlet. Now, these passwords also get captured in the Transcript log file which poses a security risk.
So, is there a way PowerShell can recognize these password related commands and hide them with *'s in the Transcript log file.
I do not see any parameter in the Start-Transcript that would enable this behavior. Is there a workaround?
EDIT:
The command used (with ClearText password) is like the below,
Set-ADAccountPassword -Identity 'CN=Elisa Daugherty,OU=Accounts,DC=Fabrikam,DC=com' -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "p#ssw0rd" -Force)
All passwords accepted by the Set-ADAccountPassword cmdlet are encrypted (SecureString) passwords:
Set-ADAccountPassword
[-WhatIf]
[-Confirm]
[-AuthType <ADAuthType>]
[-Credential <PSCredential>]
[-Identity] <ADAccount>
[-NewPassword <SecureString>]
[-OldPassword <SecureString>]
[-Partition <String>]
[-PassThru]
[-Reset]
[-Server <String>]
[<CommonParameters>]
Nevertheless, if you come across a cmdlet (or an external command) that accepts plain text passwords, that would be your security weakness to be resolved as that is not just captured by Start-Transcript but also sent to the host console and displayed.
Saying that, you should not hardcode passwords in your scripts as in the example of Set-ADAccountPassword :
Set-ADAccountPassword -Identity elisada -OldPassword (ConvertTo-SecureString -AsPlainText "p#ssw0rd" -Force) -NewPassword (ConvertTo-SecureString -AsPlainText "qwert#12345" -Force)
Instead, use the encrypted string as input for the ConvertTo-SecureString.
To create the secure string, use the follwing sommand: (don't hardcode this in your scripts either):
Read-Host -Prompt "Enter password" -AsSecureString | ConvertFrom-SecureString
Results:
12345678d08c9ddf0115d1118c7a00c04fc297eb01000000c8e74a7ee4e2da4eae03ae6fbc416934123456789200000000001066000000010000200000002568f3e73d018b1d0ee8a616c8aa2e9614bad0a6bb62ac76aa4b2b90c0178d4b000000000e80000000020000200000002e443228fdf8e2c54b356420d854535e9acc13dcf635755ae80d17bca4ec3cce20000000a4517f6ca8873e9431a5cd9af714617116014ede30e1a927c856ed4738e03a2340000000ce49ddafe4da3f8cd64e14c347126d5e8907fa16deb9f5133f8807b675f40a3354465868414aba785fcde64bbd98a125924ccfb16ad718f8f24698c3dab88c0d
And use the results in the concerned script (without the -AsPlainText switch), e.g.:
$OldPassword = '12345678d08c9ddf0115d1118c7a00c04fc297eb01000000c8e74a7ee4e2da4eae03ae6fbc416934123456789200000000001066000000010000200000002568f3e73d018b1d0ee8a616c8aa2e9614bad0a6bb62ac76aa4b2b90c0178d4b000000000e80000000020000200000002e443228fdf8e2c54b356420d854535e9acc13dcf635755ae80d17bca4ec3cce20000000a4517f6ca8873e9431a5cd9af714617116014ede30e1a927c856ed4738e03a2340000000ce49ddafe4da3f8cd64e14c347126d5e8907fa16deb9f5133f8807b675f40a3354465868414aba785fcde64bbd98a125924ccfb16ad718f8f24698c3dab88c0d'
$NewPassword = '12345678d08c9ddf0115d1118c7a00c04fc297eb01000000c8e74a7ee4e2da4eae03ae6fbc416934123456789200000000001066000000010000200000002568f3e73d018b1d0ee8a616c8aa2e9614bad0a6bb62ac76aa4b2b90c0178d4b000000000e80000000020000200000002e443228fdf8e2c54b356420d854535e9acc13dcf635755ae80d17bca4ec3cce20000000a4517f6ca8873e9431a5cd9af714617116014ede30e1a927c856ed4738e03a2340000000ce49ddafe4da3f8cd64e14c347126d5e8907fa16deb9f5133f8807b675f40a3354465868414aba785fcde64bbd98a125924ccfb16ad718f8f24698c3dab88c0d'
Set-ADAccountPassword -Identity elisada -OldPassword (ConvertTo-SecureString $OldPassword) -NewPassword (ConvertTo-SecureString $NewPassword)
note 1: The encrypted string is only supposed to work under the account where it is created.
note 2: quote from the SecureString Class:
We don't recommend that you use the SecureString class for new
development. For more information, see SecureString shouldn't be
used
on GitHub.
Is there an easy way to set a password for a local user when the user doesn't have a password yet? I searched for it but couldn't find anything that worked. The following is what I found:
$password="password"
$UserAccount = Get-LocalUser -Name "nameofuser"
$UserAccount | Set-LocalUser -Password $password
The computers I am trying to give a password are not in a domain.
i always get the ACCES DENIED Powershell Error and have no idea why....
my script:
Get-ADUser -Filter * -SearchScope Subtree | Set-ADAccountPassword -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "Mypw123" -Force)
please help me
Thank you
Nothing wrong with your script. Things to check:
Run the command from an elevated Powershell command
Try with a single user to see if you are still getting the error If it is not working
for a single user,
use ADUC (make sure you have launched it as the user launching the PowerShell session), right click and reset the account. You should get the same error.
I have several domains and one admin account in each one. It is a great pain to log into each domain to change password every month..
I have therefore written a script that will connect to all domains and check to see if I have already changed the password or if I am still using the old one.
If I am using the old one the script should update it.
I connect to the domains (sequentially) with
$oldPassword = Read-Host "Enter old password" -AsSecureString
$newPassword = Read-Host "Enter new password" -AsSecureString
$oldCredentials = new-object -typename System.Management.Automation.PSCredential -argumentlist "$domain\$adminusername",$oldPassword
Connect-QADService -Service $domain -Credential $oldCredentials
and if I get a successfull connection with $oldcredentials I try to change pwd with
GET-QADUSER $adminusername | SET-QADUSER -UserPassword $newPassword
I am guessing that I am not passing the secure string correctly to SET-QADUSER but I've found no documentation on another way to do it.
Please advice:)
SET-QADUSER -UserPassword accept [string] type not [System.Security.SecureString].
Try to pass just a string as password.
I need to create a new local user account, and then add them to the local Administrators group. Can this be done in PowerShell?
EDIT:
# Create new local Admin user for script purposes
$Computer = [ADSI]"WinNT://$Env:COMPUTERNAME,Computer"
$LocalAdmin = $Computer.Create("User", "LocalAdmin")
$LocalAdmin.SetPassword("Password01")
$LocalAdmin.SetInfo()
$LocalAdmin.FullName = "Local Admin by Powershell"
$LocalAdmin.SetInfo()
$LocalAdmin.UserFlags = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$LocalAdmin.SetInfo()
I have this, but was wondering if there is anything more PowerShell-esque.
Another alternative is the old school NET USER commands:
NET USER username "password" /ADD
OK - you can't set all the options but it's a lot less convoluted for simple user creation & easy to script up in Powershell.
NET LOCALGROUP "group" "user" /add to set group membership.
As of PowerShell 5.1 there cmdlet New-LocalUser which could create local user account.
Example of usage:
Create a user account
New-LocalUser -Name "User02" -Description "Description of this account." -NoPassword
or Create a user account that has a password
$Password = Read-Host -AsSecureString
New-LocalUser "User03" -Password $Password -FullName "Third User" -Description "Description of this account."
or Create a user account that is connected to a Microsoft account
New-LocalUser -Name "MicrosoftAccount\usr name#Outlook.com" -Description "Description of this account."
Try using Carbon's Install-User and Add-GroupMember functions:
Install-User -Username "User" -Description "LocalAdmin" -FullName "Local Admin by Powershell" -Password "Password01"
Add-GroupMember -Name 'Administrators' -Member 'User'
Disclaimer: I am the creator/maintainer of the Carbon project.
As of 2014, here is a statement from a Microsoft representative (the Scripting Guy):
As much as we might hate to admit it, there are still no Windows
PowerShell cmdlets from Microsoft that permit creating local user
accounts or local user groups. We finally have a Desired State
Configuration (DSC ) provider that can do this—but to date, no
cmdlets.
Import-Csv C:\test.csv |
Foreach-Object {
NET USER $ _.username $ _.password /ADD
NET LOCALGROUP "group" $_.username /ADD
}
edit csv as username,password
and change "group" for your groupname
:) worked on 2012 R2
$sec_pass = ConvertTo-SecureString -String "SomePasword" -AsPlainText -Force
New-LocalUser -Name username -FullName username -PasswordNeverExpires -Password $sec_pass
Add-LocalGroupMember -Group Administrators -Member username