11

I've seen plenty of documentation of how to reset a user's password by running

net user <username> * /domain

or locally

net user <username> <new_password>

But I am not domain admin for the current domain, so I am not allowed to change the password via net user <my_username> * /domain (Access is denied).

What I can do though, is to hit CTRL+ALT+DEL and click on "Change Password", where I have to re-enter my current password and give a new password: enter image description here

Question: How can I script that? I want to change my password via command line. Possible?

Bonus information: I'm on a Windows XP SP3 machine.

Note: Company policy is to make the user change their password every two weeks. And you cannot use your last 24 passwords... Since I don't want to always remember a new password I just iterate through "password1"..."password24" manually and in the end I am back to my old password. It would be great to do this with a small batch instead of the manual way.

Pierre.Vriens
  • 1,159
  • 34
  • 15
  • 19
Dennis G
  • 598
  • 3
  • 8
  • 20
  • I'm curious. Why do you want to script this when dong it through the GUI is so simple? Just how often do you change your password? – John Gardeniers Apr 14 '11 at 11:35
  • Company policy is to make the user change their password every two weeks. And you cannot use your last 24 passwords... Since I don't want to always remember a new password I just iterate through "password1"..."password24" manually and in the end I am back to my old password. It would be great to do this with a small batch instead of the manual way. – Dennis G Apr 14 '11 at 13:13
  • 9
    Another example of why overbearing password polices actually make thing less secure :-) There is now the possibilty of an unencrypted script on this computer with all possible 24 passwords, yet the admin of this domain think he is doing wonderful things! Har! – Richard West Apr 14 '11 at 14:32
  • @Richard perfectly correct. Also that I keep my old password is "against" the policy which wants to enforce new passwords... Better make the passwords more secure instead of changing them all the time. "password1" would actually work as a password. Or "letmein2"... Good luck hacking some CEO passwords around here, betcha they are not better either ;-) – Dennis G Apr 14 '11 at 16:26
  • @moontear eventually your domain admin will catch on and only allow users to change passwords every 24 hours – Jim B Sep 27 '11 at 13:24
  • Actually the whole point of changing them regularly is because bruteforcing is possible given time and it reduces the window of exposure. Annoying policies are generally necessary for a good reason so don't be a jerk by trying to get round them. Also bear in mind that if such a script is found on your PC after a hacker trashes your network the least you are going to be is out of a job. – JamesRyan Oct 03 '11 at 14:20
  • I tend to disagree - if policies are too annoying for users to follow, they should be revised at least. There are better ways to address bruteforce scenarios than bugging users with over-frequent password change requests. – the-wabbit Oct 03 '11 at 23:42
  • moontear, did you get an answer to your original question " How to script hit CTRL+ALT+DEL and click on "Change Password", " If so, can you please share the script/solution. Thanks! –  Jan 23 '12 at 17:02
  • Unfortunately I did not, hence no accepted answer here. – Dennis G Jan 24 '12 at 15:18

7 Answers7

2

Try this, i dont know if this will work fot you. its VB script

Dim UserName
Dim UserDomain
UserDomain = InputBox("Enter the user's login domain name")
UserName = InputBox("Enter the user's login name")
Set User = GetObject("WinNT://"& UserDomain &"/"& UserName &"",user)


Dim NewPassword
NewPassword = InputBox("Enter new password")
Call User.SetPassword(NewPassword)

If err.number = 0 Then
        Wscript.Echo "The password change was successful."
Else
        Wscript.Echo "The password change failed!"
End if

check this http://technet.microsoft.com/en-us/library/cc780332%28WS.10%29.aspx!domain logon

MealstroM
  • 1,517
  • 1
  • 17
  • 32
  • I think, for security reasons it would be a good idea to also **ask** (and **verify**) the **current password**. – pconcepcion Apr 14 '11 at 09:55
  • 1
    Good idea, but even by using `User.SetPassword` I get an **Access denied**: "* Error: General access denied error, Code: 80070005, Source: Active Directory *" – Dennis G Apr 14 '11 at 10:55
  • Sounds bad. Looks like you need admin rights. Or yours GroupPolicy dont allow that. – MealstroM Apr 14 '11 at 12:44
  • 1
    Sure... but how does Windows do it with ctrl+alt+del - change password. It **is** possible somehow ;-) – Dennis G Apr 14 '11 at 13:11
  • 1
    Looks like GINA works after ctrl alt del or you should search for script that work with GINA.DLL – MealstroM Apr 14 '11 at 14:13
2

Check this https://technet.microsoft.com/en-us/library/ee617261.aspx.... There is -Oldpassword param which along with -Newpassword param can achieve this. Remember if you are not a Domain Admin then you need to know the old pwd to do this. Plus when you use the -Oldpassword param ,dont use -reset param.

Taparshi
  • 21
  • 2
  • Good idea, but as I wrote I was on Windows XP SP3. What you are suggesting uses the Active Directory PowerShell cmdlets which are not available on every machine. I will give it a go though! – Dennis G Jan 24 '16 at 10:56
1

This article from The Scripting Guys has the code and an explanation of how to change an Active Directory password through PowerShell. You generally would need to be a member of the Domain Admins or Account Operators group, but there's a chance it could work with your own account. I haven't tried that yet myself.

https://blogs.technet.microsoft.com/heyscriptingguy/2010/08/17/how-to-change-a-users-active-directory-password-with-powershell/

Tereza Tomcova
  • 123
  • 4
SamErde
  • 3,409
  • 3
  • 24
  • 44
1

Unfortunately I am not in the same system environment anymore, but it should be noted that Sysinternals updated their tool PsPasswd.

You can use PsPasswd to change the password of a local or domain account on the local or a remote computer.

Maybe this would have been the solution - I still don't know whether I could have changed my password with that tool. I could change the password via CTRL+ALT+DELETE.

Dennis G
  • 598
  • 3
  • 8
  • 20
0

The answer by @MealstroM requires admin otherwise you get Access denied. Instead of SetPassword one has to call ChangePassword(old,new):

Dim wsn
Set wsn = CreateObject("WScript.Network")

Dim UserName
UserName = wsn.UserName

Dim UserDomain
UserDomain = wsn.UserDomain

UserDomain = InputBox("Enter the user's login domain name (or local computer name or dot)",,UserDomain)
UserName = InputBox("Enter the user's login name",,UserName)
Set User = GetObject("WinNT://"& UserDomain &"/"& UserName &"",user)


Dim OldPassword
OldPassword = InputBox("Enter old password")

Dim NewPassword
NewPassword = InputBox("Enter new password")
Call User.ChangePassword(OldPassword, NewPassword)

If err.number = 0 Then
        Wscript.Echo "The password change was successful."
Else
        Wscript.Echo "The password change failed!"
End if
basin
  • 558
  • 1
  • 5
  • 22
-1

This knowledge base article indicates that you can't with the net command, not without domain admin privileges. You may be able to do it with a PowerShell cmdlet, but you may run afoul of various domain policies (for example, password histories), and you may still need domain admin privileges. I suspect you're out of luck.

justarobert
  • 1,869
  • 13
  • 8
  • 4
    Yes, I stated that it is not possible using `net` and I asked for a specific solution to script this, not for "you may be able to do it" - I know, that I **may** be able to do it. – Dennis G Apr 14 '11 at 10:51
-2

Just do this from command prompt...

net user domain\username *

(notice the asterisk on the end after a space)

It will prompt you for the new password without having to enter the old.

With this info you can create a script or batch file and a csv file for your passwords.

Jessica Moyer
  • 69
  • 4