If you search the Internet how to change the password in Windows using command line you’ll easily find command like one below:
1 |
net user name password |
DO NOT USE IT! It doesn’t change the password, it resets it. When you reset the password this way, all things encrypted with user password are no longer accessible (unless you have the certificate backed up and want to go with manual decryption process). This includes EFS, user specific encrypted app configs, passwords, some Outlook settings etc.
So how do you do it? If you search a little longer you’ll probably find PowerShell commandlets for WinAPI methods to change AD password. Most likely this is not what you want as you have local user.
What works for me is the following C# code:
1 2 3 4 5 |
using (PrincipalContext ctx = new PrincipalContext(ContextType.Machine)) { UserPrincipal user = UserPrincipal.FindByIdentity(ctx, IdentityType.SamAccountName, userName); user.ChangePassword(oldPassword, newPassword); } |
You need to add reference to System.DirectoryServices
. Works on Windows Server 2012 R2 with .NET Framework 4.5.
Some people suggest you should call user.Save()
, however, it throws the following exception for me:
1 2 3 4 5 6 |
System.UnauthorizedAccessException: Access is denied. at System.DirectoryServices.Interop.UnsafeNativeMethods.IAds.SetInfo() at System.DirectoryServices.DirectoryEntry.CommitChanges() at System.DirectoryServices.AccountManagement.SDSUtils.ApplyChangesToDirectory(Principal p, StoreCtx storeCtx, GroupMembershipUpdater updateGroupMembership, NetCred credentials, AuthenticationTypes authTypes) at System.DirectoryServices.AccountManagement.SAMStoreCtx.Update(Principal p) at System.DirectoryServices.AccountManagement.Principal.Save() |
I don’t know if that’s needed but I do it anyway. What happens if you pass incorrect old password? You get
1 2 3 4 5 6 7 |
Unhandled Exception: System.DirectoryServices.AccountManagement.PasswordException: The specified network password is not correct. ---> System.Runtime.InteropServices.COMException: The specified network password is not correct. --- End of inner exception stack trace --- at System.DirectoryServices.AccountManagement.SDSUtils.ChangePassword(DirectoryEntry de, String oldPassword, String newPassword) at System.DirectoryServices.AccountManagement.SAMStoreCtx.ChangePassword(AuthenticablePrincipal p, String oldPassword, String newPassword) at System.DirectoryServices.AccountManagement.PasswordInfo.ChangePassword(String oldPassword, String newPassword) at System.DirectoryServices.AccountManagement.AuthenticablePrincipal.ChangePassword(String oldPassword, String newPassword) |
You can try wrapping this in some PowerShell code and you should be good.