I've got problems with setting new passwords via Powershell on Server 2012 R2:
Set-ADAccountPassword -Identity testuser48
-OldPassword (ConvertTo-SecureString -AsPlainText "HelloPassword123#" -Force)
-NewPassword (ConvertTo-SecureString -AsPlainText "April456##123" -Force)
I tried many different passwords but there's always an ADPasswordComplexityException.
FullyQualifiedErrorId : ActiveDirectoryServer:1325,Microsoft.ActiveDirectory.Management.Commands.SetADAccountPasword
Are there any other things I could try?
All password complexity rules (incl. length, ...) are disabled.
Can you use -Reset instead of -OldPassword? Try below to see if it works for you. Also is this in a domain or a standalone server?
Set-ADAccountPassword -Identity testuser48 -Reset
-NewPassword (ConvertTo-SecureString -AsPlainText "April456##123" -Force)
I just found out that I have to set both minimum and maximum password age from undefined to 0 in order for this command to work. That does not seem to be documented ...
Related
I do have a powershell script which contains performing a password reset for single user. Here's the script I made below
Cls
$sam = Read-Host -Prompt 'Username?'
$Pass = 'samplepass123'
$Pass1 = ConvertTo-SecureString $Pass -AsPlainText -Force
#Reset the account password
Set-ADAccountPassword $sam -NewPassword $Pass1 -Reset
Write-Host $sam,$Pass
The problem is, I am searching throughout the internet to rerun the script by pressing any key from the Powershell CMD and/or pressing q to stop the script but no luck for me.
Thank you in advance who will help on my problem!
I triyng to reset a password using this code:
Set-ADAccountPassword -Identity <username> -Reset -NewPassword (ConvertTo-SecureString -AsPlainText 'N3WP#SS' -Force)
But it uses the credentials of the logged user to execute this action. How do I specify other user to perform this action using
-Credential?
If you are trying to specify other user :
PSCredential Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory module for Windows PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default.
To specify this parameter, you can type a user name, such as User1 or Domain01\User01 or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password.
You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object.
Prompt a specified user to change their password.
Use this command below :
Set-ADAccountPassword -Identity TestName
Please enter the current password for 'CN=Evan Narvaez,CN=Users,DC=Fabrikam,DC=com'
Password:**********
Please enter the desired password for 'CN=Evan Narvaez,CN=Users,DC=Fabrikam,DC=com'
Password:***********
Repeat Password:***********
Set a password for a user account using a distinguished name :
Set-ADAccountPassword -Identity 'CN=Elisa
Daugherty,OU=Accounts,DC=Fabrikam,DC=com' -Reset -NewPassword
(ConvertTo-SecureString -AsPlainText "p#ssw0rd" -Force)
Please take a look at this doc for more reference : Ser-ADAccountPassword
I have used the Start-Transcript command in my PowerShell profile. This is very useful for me to review the console output of my scripts at a later point in time when required. However, at times I also directly run some commands that include a ClearText password like the Set-ADAccountPassword cmdlet. Now, these passwords also get captured in the Transcript log file which poses a security risk.
So, is there a way PowerShell can recognize these password related commands and hide them with *'s in the Transcript log file.
I do not see any parameter in the Start-Transcript that would enable this behavior. Is there a workaround?
EDIT:
The command used (with ClearText password) is like the below,
Set-ADAccountPassword -Identity 'CN=Elisa Daugherty,OU=Accounts,DC=Fabrikam,DC=com' -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "p#ssw0rd" -Force)
All passwords accepted by the Set-ADAccountPassword cmdlet are encrypted (SecureString) passwords:
Set-ADAccountPassword
[-WhatIf]
[-Confirm]
[-AuthType <ADAuthType>]
[-Credential <PSCredential>]
[-Identity] <ADAccount>
[-NewPassword <SecureString>]
[-OldPassword <SecureString>]
[-Partition <String>]
[-PassThru]
[-Reset]
[-Server <String>]
[<CommonParameters>]
Nevertheless, if you come across a cmdlet (or an external command) that accepts plain text passwords, that would be your security weakness to be resolved as that is not just captured by Start-Transcript but also sent to the host console and displayed.
Saying that, you should not hardcode passwords in your scripts as in the example of Set-ADAccountPassword :
Set-ADAccountPassword -Identity elisada -OldPassword (ConvertTo-SecureString -AsPlainText "p#ssw0rd" -Force) -NewPassword (ConvertTo-SecureString -AsPlainText "qwert#12345" -Force)
Instead, use the encrypted string as input for the ConvertTo-SecureString.
To create the secure string, use the follwing sommand: (don't hardcode this in your scripts either):
Read-Host -Prompt "Enter password" -AsSecureString | ConvertFrom-SecureString
Results:
12345678d08c9ddf0115d1118c7a00c04fc297eb01000000c8e74a7ee4e2da4eae03ae6fbc416934123456789200000000001066000000010000200000002568f3e73d018b1d0ee8a616c8aa2e9614bad0a6bb62ac76aa4b2b90c0178d4b000000000e80000000020000200000002e443228fdf8e2c54b356420d854535e9acc13dcf635755ae80d17bca4ec3cce20000000a4517f6ca8873e9431a5cd9af714617116014ede30e1a927c856ed4738e03a2340000000ce49ddafe4da3f8cd64e14c347126d5e8907fa16deb9f5133f8807b675f40a3354465868414aba785fcde64bbd98a125924ccfb16ad718f8f24698c3dab88c0d
And use the results in the concerned script (without the -AsPlainText switch), e.g.:
$OldPassword = '12345678d08c9ddf0115d1118c7a00c04fc297eb01000000c8e74a7ee4e2da4eae03ae6fbc416934123456789200000000001066000000010000200000002568f3e73d018b1d0ee8a616c8aa2e9614bad0a6bb62ac76aa4b2b90c0178d4b000000000e80000000020000200000002e443228fdf8e2c54b356420d854535e9acc13dcf635755ae80d17bca4ec3cce20000000a4517f6ca8873e9431a5cd9af714617116014ede30e1a927c856ed4738e03a2340000000ce49ddafe4da3f8cd64e14c347126d5e8907fa16deb9f5133f8807b675f40a3354465868414aba785fcde64bbd98a125924ccfb16ad718f8f24698c3dab88c0d'
$NewPassword = '12345678d08c9ddf0115d1118c7a00c04fc297eb01000000c8e74a7ee4e2da4eae03ae6fbc416934123456789200000000001066000000010000200000002568f3e73d018b1d0ee8a616c8aa2e9614bad0a6bb62ac76aa4b2b90c0178d4b000000000e80000000020000200000002e443228fdf8e2c54b356420d854535e9acc13dcf635755ae80d17bca4ec3cce20000000a4517f6ca8873e9431a5cd9af714617116014ede30e1a927c856ed4738e03a2340000000ce49ddafe4da3f8cd64e14c347126d5e8907fa16deb9f5133f8807b675f40a3354465868414aba785fcde64bbd98a125924ccfb16ad718f8f24698c3dab88c0d'
Set-ADAccountPassword -Identity elisada -OldPassword (ConvertTo-SecureString $OldPassword) -NewPassword (ConvertTo-SecureString $NewPassword)
note 1: The encrypted string is only supposed to work under the account where it is created.
note 2: quote from the SecureString Class:
We don't recommend that you use the SecureString class for new
development. For more information, see SecureString shouldn't be
used
on GitHub.
I am trying to reset password of one Azure AD account by Set-AzureRMADUser cmdlets, but it throwing error "Set-AzureRmADUser : Property passwordProfile.password is invalid." COuld you please check?
Below is the code.
Set-AzureRmADUser -UserPrincipalName XXXX -Password (ConvertTo-SecureString -String "XXXXX" -Force –AsPlainText)
Below is the complete error.
Set-AzureRmADUser : Property passwordProfile.password is invalid.
At line:1 char:1
+ Set-AzureRmADUser -UserPrincipalName admin#mit1openlinkcloud.onmicros ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Update-AzureRmADUser], Exception
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ActiveDirectory.UpdateAzureADUserCommand
You could try the command below.
Set-AzureADUserPassword -ObjectId <ObjectId> -Password <Password>
Refer to the link.
Update:
It may caused by your SecureString format, the password must meet the tenant's password complexity requirements. Refer to Password policy in Azure AD. You could refer to my specific command, it works fine.
$Password = ConvertTo-SecureString -String "P#ssW0rD!" -Force –AsPlainText
Set-AzureADUserPassword -ObjectId "ce336193xxxxxxxx" -Password $Password
Try to login to azure portal use the new password, it works fine.
Besides, I suppose the error of your command that you post may caused by it too, you could check it.
I'm currently learning PowerShell through online tutorials.
What is the benefit of/why do examples use -Force and -AsPlainText when creating a secure string?
$password = 'P#ssw0rd' | ConvertTo-SecureString -AsPlainText -Force
There is no benefit of using those arguments, rather they are required to show that you understand that your string is not secure, despite the fact you've now placed it in a SecureString. Because you've passed it as plain text, it's already in memory in an insecure manner.
-AsPlainText shows that you want to pass in it as a plain text parameter. -Force is documented as:
Confirms that you understand the implications of using the AsPlainText parameter and still want to use it.
IIRC, -Force suppresses the confirmation prompt from -AsPlainText
$PW = ConvertTo-SecureString -String 'P#ssw0rd' -AsPlainText -Force