Last active
February 2, 2025 15:54
-
-
Save phibel/a70e7ce621c35b266d2179ee5d52c59d to your computer and use it in GitHub Desktop.
Change Windows Login password on Active Directory (AD) server.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # In my company, you have to change the (Windows) login password (Active Directory AD (LDAP)) every 6 months. | |
| # However, our AD only saves the last 24 passwords in the history, after which you can set your | |
| # original password again. You can only change the password once every 24 hours via the | |
| # "Change Windows password dialog". But I have written this Powershell script that communicates directly | |
| # with the AD server. The script sets 24 passwords and then the original password again. | |
| # The AD has no time limit on how often you can change your password. | |
| # | |
| # I have two user names in the company, the normal user "name" and a user with admin permissions that has | |
| # "admin" as suffix -> "nameadmin". This script changes the password for both accounts! | |
| # | |
| # 1. Install the ActiveDirectory module for the Powershell | |
| # Log in to Windows as admin user (sorry my Windows is running in GERMAN) | |
| # Start > Programme hinzufügen oder entfernen > Optionale Features: | |
| # * RSAT: Tools für Active Directory Domain Services und Leightweight Directory Services | |
| # * RSAT: Tools für Active Directory-Zertifikatdienst | |
| # Go back one menu item and wait until the two packages have been installed. Takes about 2-5 minutes | |
| # | |
| # Allow the execution of uncertified Powershell scripts. | |
| # * Open PowerShell as admin: Set-ExecutionPolicy Unrestricted | |
| # | |
| # Restart the computer | |
| # | |
| # 2. login as normal user (user from whom the password is to be set) | |
| # * Open Powershell as normal user: .\passwordRotation.ps1 | |
| # | |
| # 3. After the script is finished, you can disable the execution of uncertified Powershell scripts again. | |
| # * Open PowerShell as admin: Set-ExecutionPolicy Restricted | |
| $username = $env:UserName | |
| $adminname = $username + "admin" | |
| $passwordDefault = Read-Host -Prompt "Current password for user ${username}" | |
| $passwordCurrent = $passwordDefault | |
| for ($passwordCounter=10; $passwordCounter -le 33; $passwordCounter++) { | |
| $passwordNew = -join ((65..90) + (97..122) | Get-Random -Count 9 | % {[char]$_}) + ".${passwordCounter}" | |
| Write-Output "CURRENT Password: ${passwordCurrent}, NEW Password ${passwordNew} will be set for user ${username} and ${adminname}" | |
| Set-ADAccountPassword -Identity $username -OldPassword (ConvertTo-SecureString -AsPlainText $passwordCurrent -Force) -NewPassword (ConvertTo-SecureString -AsPlainText $passwordNew -Force) | |
| Set-ADAccountPassword -Identity $adminname -OldPassword (ConvertTo-SecureString -AsPlainText $passwordCurrent -Force) -NewPassword (ConvertTo-SecureString -AsPlainText $passwordNew -Force) | |
| $passwordCurrent = $passwordNew | |
| sleep -seconds 1 | |
| } | |
| Write-Output "CURRENT Password: ${passwordCurrent}, original Password ${passwordDefault} will be set for user ${username} and ${adminname}" | |
| Set-ADAccountPassword -Identity $username -OldPassword (ConvertTo-SecureString -AsPlainText $passwordCurrent -Force) -NewPassword (ConvertTo-SecureString -AsPlainText $passwordDefault -Force) | |
| Set-ADAccountPassword -Identity $adminname -OldPassword (ConvertTo-SecureString -AsPlainText $passwordCurrent -Force) -NewPassword (ConvertTo-SecureString -AsPlainText $passwordDefault -Force) | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment