So I am currently in the process of teaching myself PowerShell on a test domain with the help of a few guides. After picking up a bit I'm working on a project to create users in AD from first and last names in a CSV. The only thing I cannot get working is for it to require the password to be changed at logon, I'm getting no errors, and the entries are being created, but the box in the user's account options is not ticked.
import-csv users.csv |
select Surname,
#{n='GivenName';e={$_.'FirstName'}},
#{n='samaccountname';e={$_.FirstName.substring(0,2) + $_.Surname}},
#{n='UserPrincipalName';e={$_.FirstName.substring(0,2) + $_.Surname}},
#{n='Name';e={$_.'FirstName' + ' ' + $_.'Surname'}} |
New-ADUser -AccountPassword (ConvertTo-SecureString -AsPlainText "Password1" -Force) -ChangePasswordAtLogon $true -Path "OU=Intake 20XX,OU=Students,OU=Ravenloft users,DC=RAVENLOFT,DC=test"
Edit- With a bit more investigation, I believe that it may not be creating a password at all, as the accounts are disabled. However the password "Password1" that I have used in the script does meet the requirements as when creating one in AD manually with this password, it works fine. So how can I progress from this issue?
Use the -enabled $True switch for New-ADUser, so the full command for the last line would be...
New-ADUser -Enabled $true -AccountPassword (ConvertTo-SecureString -AsPlainText "Password1" -Force) -ChangePasswordAtLogon $true -Path "OU=Intake 20XX,OU=Students,OU=Ravenloft users,DC=RAVENLOFT,DC=test"
Related
I'm new to PowerShell and am still learning the ropes. I want to create a script for work that I can force a change at the next logon for many users.
I have this:
Set-ADAccountPassword -Identity -ChangePasswordAtLogon:$True -path 'C:\users\mohahigg\desktop\userpassword.txt' (ConvertTo-SecureString 'password2022' -AsPlainText -Force)
I know it's not the best, but what went wrong (in detail), and how can I fix it?
First, you need to extract the username from the text file. You've chosen an odd way of doing it. If it's just one user, you could simply write the name in the command instead of in a file. However, we will get the username and set it in the $user variable:
$user = Get-Content 'C:\users\mohahigg\desktop\userpassword.txt'
Next, we will reset the user's password.
-Path is not a valid parameter for the Set-ADAccountPassword command
-ChangePasswordAtLogon is also not a valid parameter
See all parameters in the official documentation: Set-ADAccountPassword
Set-ADAccountPassword -Identity $user -NewPassword (ConvertTo-SecureString 'password2022' -AsPlainText -Force) -Reset
Lastly, we will force the password change at the next logon, which is done in another command, Set-ADUser. See the official documentation for this: Set-ADUser.
Set-ADUser -Identity $user -ChangePasswordAtLogon $true
Putting it all together:
$user = Get-Content 'C:\users\mohahigg\desktop\userpassword.txt'
Set-ADAccountPassword -Identity $user -NewPassword (ConvertTo-SecureString 'password2022' -AsPlainText -Force) -Reset
Set-ADUser -Identity $user -ChangePasswordAtLogon $true
I have a script that allows people to create a new user from scratch or copying another user but for some reason it is not copying AD group memberships. Any help would be greatly appreciated.
I am getting the user information with this command which is working fine.
$userToCopy = Get-ADUser -identity $copyUsername -Properties Department, title, Company, MemberOf
Then I am asking questions to get updated info for the new user then creating the new use with this command and everything works but the group memberships do not copy over which I was expecting that using the $userToCopy as the -Instance would do.
New-ADUser -SamAccountName "$username" -Name "$fname $lname" -DisplayName "$fname $lname" -Surname "$lname" -GivenName "$fname" -userprincipalname "$fname.$lname#$domain" `
-AccountPassword $secPassword -ChangePasswordAtLogon $True -Office "$empID" -MobilePhone "$mobilePhone" -OfficePhone "$officePhone" -Title "$jobTitle" -department "$department" `
-ProfilePath "" -Path "$OUDN" -Instance $userToCopy -Credential $UserCredential -Server "BOM.chris.domain" -Enabled $True -Company "Chris"
This issue makes sense and then again it doesn't. Since ADUC supports copying groups from another account, it would seem like the same feature would be available with New-ADUser -Instance. However, New-ADUser does not seem to support updating group membership with any of its parameters. I can only guess, but I imagine this is because MemberOf is a calculated property rather than a direct attribute defined by the schema. You could do the following though with one line of code after creating the user.
Add-ADPrincipalGroupMembership -Identity $username -MemberOf $UserToCopy.MemberOf -Server "BOM.chris.domain"
The code above without -Identity $username could be piped into after the New-ADUser command provided you add the -Passthru switch to New-ADUser.
I am needing to change local user passwords. When I convert it to a secure string, it acts as if it changed it, but when trying to login to the account it does not take the password. Not sure what I'm doing wrong, but I know for Powershell's Set-LocalUser cmdlet to take a password it must be a secure string. Below is the code
$UnsecurePassword = "Testing1234"
$SecurePassword = ConvertTo-SecureString $UnsecurePassword -AsPlainText -Force
$localaccount = Get-LocalUser -Name "Local" -ea stop | Enable-LocalUser
$localaccount | Set-LocalUser -Password $SecurePassword -PasswordNeverExpires 1 -ea stop
Your problem is the line
$localaccount = Get-LocalUser -Name "Local" -ea stop | Enable-LocalUser
As Enable-LocalUser doesn't return anything and also hasn't a -PassThru parameter, you end up with $localaccount being empty.
So change your script to:
$UnsecurePassword = "Testing1234"
$SecurePassword = ConvertTo-SecureString $UnsecurePassword -AsPlainText -Force
$localaccount = Get-LocalUser -Name "Local" -ea stop
$localaccount | Enable-LocalUser
$localaccount | Set-LocalUser -Password $SecurePassword -PasswordNeverExpires 1 -ea stop
This is the simplest way to set the password, you can add in your other stuff to make sure its enabled and whatever else you want. In terms of setting a password this is the easiest way to do it in my opinion.
Set-LocalUser -Name Local -Password (ConvertTo-SecureString -String 'Testing1234' -AsPlainText -Force)
Minimal solution in powershell > 5, Win 10
TL;DR:
Set-LocalUser -Name Local -Password (ConvertTo-SecureString 1234 -AsPlainText)
Findings
You can omit the force parameter for a minimal solution in opposition to the other's answer.
A naive approach would be Set-LocalUser local to change the password to no password. Try it, in powershell it does not work. Unsetting a password works in the gui in windows 10 though.
Here is what I have, everything works great thus far except the part where I need the user to change their password on sign in
Import-Csv C:\Users\user\Desktop\newuser.csv | New-ADUser -PassThru | Set-ADAccountPassword -Reset -NewPassword (ConvertTo-SecureString -AsPlainText '#To03PXaz4' -Force) -PassThru | Enable-ADAccount -PassThru | Set-Aduser -ChangePasswordAtNextLogon $true
any guidance would be greatly appreciated
The syntax is -ChangePasswordAtLogon, not -ChangePasswordAtNEXTLogon. See https://technet.microsoft.com/en-us/library/hh852287(v=wps.630).aspx
Using Set-Aduser -ChangePasswordAtLogon $true should fix your problem.
that's what worked for me:
Set-AdUser -ChangePasswordAtLogon:$true
Note: take care of ":" before true
Using powershell 2.0, I have a simple script to create a New-ADUser. The user must change their password on next logon and the account must be disabled. This works until I create the account in disabled mode.
According to the documentation, ensuring PasswordNeverExpires is $false will allow for change password at logon, but that didn't help. Would anyone know why ChangePasswordAtLogon isn't applying if enabled is set to false?
Code (I have included the other settings I am using in case they matter):
New-ADUser -Name "NewPerson" `
-Path "DC=WhereEver" `
-AccountPassword $SecureStringHere `
-PasswordNeverExpires $False `
-ChangePasswordAtLogon $True `
-enabled $False `
-UserPrinciplaName "NewPerson" `
-DisplayName "NewPerson" `
-Description "NewPerson" `
-ProfilePath "path" `
-ScriptPath "path"
If you don't know how to fix this any ideas on what could be going wrong are appreciated, thank you!
Apparently it's the password that causes the effect, although I can't explain why. The documentation doesn't say anything about this AFAICS. Remove -ChangePasswordAtLogon $True from the New-ADUser statement and set the option afterwards via
Set-ADUser -Identity 'NewPerson' -ChangePasswordAtLogon $true
and the account should be created the way you expect.