Renew Active Directory User Password Without Knowing It

Hello,

Today we’ll how you can renew an Active Directory user password, without knowing it. It can be very convenient when you have a service account with a password expiration but don’t want to change it for whatever reason. It can also save the day when you have one of your VIP user that is in a kind of emergency and need his mailbox access but you can’t change the password be cause he doesn’t have a secure AD access. You can have plenty of reasons to perform that kind of action.You can do that action in PowerShell, or with an Active Directory administration console.

PowerShell

To achieve that with PowerShell, you need the Active Directory PowerShell module.

Renew Active Directory User Password Without Knowing It – PowerShell

Set-ADUser -Identity Chewbacca.Chewbacca -ChangePasswordAtLogon $true
Set-ADUser -Identity Chewbacca.Chewbacca -ChangePasswordAtLogon $false

DSA.msc

Start Active Directory Users & Computers console, search for a user, right click, properties, and then go to the “Account” tab:

Renew Active Directory User Password Without Knowing It – DSA.MSC

ADAC

Start the Active Directory Administration Center, search for a user, double click, and then search for “User must change password at next log on”:

Renew Active Directory User Password Without Knowing It – ADAC

Conclusion

As you can see, forcing password change at next logon reset the “PwdLastSet” attribute to now. This allow the password to be renewed without anyone but the user knowing it.

Note: My test users where created by StarWars PowerShell module.