Author Posts

September 17, 2014 at 11:24 am

Hi,

I am new to PS so today I opened a new session with my DC and tried to change a password for one of the users. I made sure Execution policy was set to unrestricted and that I ran PS with Domain Admin credentials.

[win2k8]: PS C:\Users\hardware\Documents> Set-ADAccountPassword -Identity lseetram -OldPassword(ConvertTo-SecureStri
AsPlainText "Old password"-Force) -NewPassword(ConvertTo-SecureString -AsPlainText "New password" -Force)

However:

Set-ADAccountPassword : Access is denied
At line:1 char:1
+ Set-ADAccountPassword -Identity lseetram -OldPassword(ConvertTo-SecureString -As ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (lseetram:ADAccount) [Set-ADAccountPassword], UnauthorizedAccessException
+ FullyQualifiedErrorId : Access is denied,Microsoft.ActiveDirectory.Management.Commands.SetADAccountPassword

I Googled the issue but could not find anything related to this except that one of the tips was to remove SpecOps GPUpdate, which I did and no change. I also tried to refer to the account by using CN and no change.

Any ideas?

Thanks,
Alex

September 17, 2014 at 12:11 pm

It seems the user who is running the command doesn't have permisions to make changes to this user. We have users who can reset passwords, but they can reset domain admin's passwords.

September 17, 2014 at 1:55 pm

Thanks for your quick reply. I am running the console under domain Admin's account. Are there any other privileges that need to be given to that account in order to do this through the PS?

September 18, 2014 at 7:46 am

I just tried this in the interactive session on the DC itself and I am getting the same error message. I am obviously logged in as a Domain Admin

September 18, 2014 at 9:40 am

I now tried a brand new test domain controller with Server 2012 R2 and same thing happened.

September 20, 2014 at 12:35 am

Hey Alex,

Couple of suggestions
(1) If you're able to, try disabling UAC on a DC restart it. I've seen this happen even when PowerShell is launched as an Administrator
(2) If you are using a variable for the password, and are using any special characters in the password use [b]'[/b] instead of [b]"[/b].
(3) If it's still not working, try this instead :

$newPwd = ConvertTo-SecureString -AsPlainText 'New password' -Force
Set-ADAccountPassword -Identity lseetram -Reset -NewPassword $newPwd