Skip to content
February 27, 2026 Junior (1-3 years) Script Drop

Password Reset Scripts for IT

Essential PowerShell scripts for password reset operations. Active Directory password management made easy.

Password Reset Scripts for IT

Password resets are one of the most common IT tasks. These scripts make it faster and more secure.

Reset User Password

<#
.SYNOPSIS
    Reset AD user password
#>
param(
    [Parameter(Mandatory=$true)]
    [string]$Username,
    
    [Parameter(Mandatory=$false)]
    [switch]$MustChange
)

# Generate secure random password
$Length = 16
$Chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*"
$Password = -join ((1..$Length) | ForEach-Object { $Chars[(Get-Random -Maximum $Chars.Length)] })
$SecurePassword = ConvertTo-SecureString $Password -AsPlainText -Force

# Reset password
Set-ADAccountPassword -Identity $Username -NewPassword $SecurePassword -Reset

if ($MustChange) {
    Set-ADUser -Identity $Username -ChangePasswordAtLogon $true
}

Write-Host "Password reset for: $Username"
Write-Host "Temp password: $Password"
Write-Host "Must change: $MustChange"

Bulk Password Reset

<#
.SYNOPSIS
    Reset passwords for multiple users
#>
param(
    [Parameter(Mandatory=$true)]
    [string]$CSVPath
)

$Users = Import-Csv $CSVPath

foreach ($User in $Users) {
    try {
        $Password = -join ((1..12) | ForEach-Object { (33..126) | Get-Random | ForEach-Object { [char]$_ } })
        $SecurePassword = ConvertTo-SecureString $Password -AsPlainText -Force
        
        Set-ADAccountPassword -Identity $User.SamAccountName -NewPassword $SecurePassword -Reset
        Set-ADUser -Identity $User.SamAccountName -ChangePasswordAtLogon $true
        
        [PSCustomObject]@{
            Username = $User.SamAccountName
            Status = "Success"
            TempPassword = $Password
        }
    }
    catch {
        [PSCustomObject]@{
            Username = $User.SamAccountName
            Status = "Failed"
            Error = $_.Exception.Message
        }
    }
}

Check Password Expiry

<#
.SYNOPSIS
    Check password age for users
#>
param(
    [Parameter(Mandatory=$false)]
    [string]$OU
)

$Params = @{
    Filter = "*"
    Properties = "PasswordLastSet", "PasswordExpired", "PasswordNeverExpires"
}

if ($OU) {
    $Params.SearchBase = $OU
}

Get-ADUser @Params | Select-Object Name, SamAccountName, PasswordLastSet, PasswordExpired, PasswordNeverExpires, @{N='DaysSince';E={(Get-Date) - $_.PasswordLastSet | Select-Object -ExpandProperty Days}}

Force Password Change for Everyone

<#
.SYNOPSIS
    Force all users to change password
#>
param(
    [Parameter(Mandatory=$false)]
    [string]$ExcludeOU
)

Get-ADUser -Filter * -Properties PasswordLastSet | 
    Where-Object { -not $_.PasswordNeverExpires -and $_.DistinguishedName -notmatch $ExcludeOU } |
    Set-ADUser -ChangePasswordAtLogon $true

Password Report

<#
.SYNOPSIS
    Generate password report
#>
$Report = Get-ADUser -Filter * -Properties PasswordLastSet, PasswordExpired, PasswordNeverExpires, LastLogonDate |
    Select-Object Name, SamAccountName, 
        @{N='PasswordAge';E={(Get-Date) - $_.PasswordLastSet | Select-Object -ExpandProperty Days}},
        PasswordExpired, PasswordNeverExpires, LastLogonDate

$Report | Where-Object { $_.PasswordAge -gt 90 -and -not $_.PasswordNeverExpires } |
    Export-Csv -Path "C:\Reports\OldPasswords.csv" -NoTypeInformation

Wrap-Up

These scripts handle the most common password operations. Customize for your environment and audit regularly.

Questions? Drop them below!

#powershell #password #active-directory #reset #script
Was this helpful?