Resetting a domain user’s password is one of the most common IT admin tasks. Active Directory stores user accounts centrally, and resetting a password from any domain controller or RSAT-enabled machine takes under a minute. Here is how to do it via the GUI, PowerShell, and command line.
Reset a Password via Active Directory Users and Computers
- Open Active Directory Users and Computers (ADUC) — from Server Manager → Tools, or run
dsa.msc - Navigate to the OU containing the user, or use Find (Ctrl + F) to search by name or username
- Right-click the user account → Reset Password
- Enter and confirm the new password
- Options to configure:
- User must change password at next logon: tick this for end users — they set their own permanent password at next login
- Unlock the user’s account: tick if the account was locked due to failed login attempts — common when a password reset is requested
- Click OK
Reset a Password via PowerShell
# Reset password (prompts for new password securely)
Set-ADAccountPassword -Identity jsmith -Reset -NewPassword (Read-Host -AsSecureString "New Password")
# Reset password inline (use with caution — password visible in command history)
$newpw = ConvertTo-SecureString "NewP@ssw0rd!" -AsPlainText -Force
Set-ADAccountPassword -Identity jsmith -Reset -NewPassword $newpw
# Force user to change password at next logon
Set-ADUser -Identity jsmith -ChangePasswordAtLogon $true
# Unlock the account at the same time
Unlock-ADAccount -Identity jsmithReset a Password and Unlock in One Step
$newpw = ConvertTo-SecureString "TempP@ss123!" -AsPlainText -Force
Set-ADAccountPassword -Identity jsmith -Reset -NewPassword $newpw
Set-ADUser -Identity jsmith -ChangePasswordAtLogon $true
Unlock-ADAccount -Identity jsmith
Write-Host "Password reset and account unlocked for jsmith"Reset via Command Prompt (net user)
# Reset a domain user password (run on a DC or with domain admin rights)
net user jsmith NewP@ssword123 /domainThis method does not force a password change at next logon — use PowerShell or ADUC if you need that option.
Check Account Status Before Resetting
Before resetting, check whether the account is locked, disabled, or has other issues:
Get-ADUser -Identity jsmith -Properties LockedOut, Enabled, PasswordExpired, PasswordLastSet, LastLogonDate | Select-Object Name, Enabled, LockedOut, PasswordExpired, PasswordLastSet, LastLogonDateKey fields to review:
- Enabled: False — the account is disabled, not just locked. Enable it with
Enable-ADAccount -Identity jsmith - LockedOut: True — unlock with
Unlock-ADAccount -Identity jsmith(may not need a full password reset if the user just forgot their PIN) - PasswordExpired: True — the password has expired according to policy — reset and allow change at next logon
Find Locked Out Accounts Across the Domain
# Find all currently locked out accounts
Search-ADAccount -LockedOut | Select-Object Name, SamAccountName, LockedOut, LastLogonDate
# Find accounts with expired passwords
Search-ADAccount -PasswordExpired | Select-Object Name, SamAccountName, PasswordLastSetPassword Policy — What Rules Apply
When setting a new password, it must meet the domain password policy:
# Check the default domain password policy
Get-ADDefaultDomainPasswordPolicy | Select-Object MinPasswordLength, PasswordHistoryCount, MaxPasswordAge, ComplexityEnabledIf the new password is rejected, it likely does not meet complexity requirements (minimum length, mix of uppercase, lowercase, numbers, symbols) or was used recently (password history).
Self-Service Password Reset
If your organisation uses Microsoft Entra ID (Azure AD) with password writeback, users can reset their own passwords via the Microsoft self-service password reset portal — reducing the volume of IT helpdesk calls. If you handle frequent password resets, it is worth evaluating.
