Set-ADAccountPassword Issue

This topic contains 5 replies, has 3 voices, and was last updated by Profile photo of Tim Pringle Tim Pringle 2 years, 2 months ago.

  • Author
    Posts
  • #18890
    Profile photo of nyalexp .
    nyalexp .
    Participant

    Hi,

    I am new to PS so today I opened a new session with my DC and tried to change a password for one of the users. I made sure Execution policy was set to unrestricted and that I ran PS with Domain Admin credentials.

    [win2k8]: PS C:\Users\hardware\Documents> Set-ADAccountPassword -Identity lseetram -OldPassword(ConvertTo-SecureStri
    AsPlainText "Old password"-Force) -NewPassword(ConvertTo-SecureString -AsPlainText "New password" -Force)

    However:

    Set-ADAccountPassword : Access is denied
    At line:1 char:1
    + Set-ADAccountPassword -Identity lseetram -OldPassword(ConvertTo-SecureString -As ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : PermissionDenied: (lseetram:ADAccount) [Set-ADAccountPassword], UnauthorizedAccessException
    + FullyQualifiedErrorId : Access is denied,Microsoft.ActiveDirectory.Management.Commands.SetADAccountPassword

    I Googled the issue but could not find anything related to this except that one of the tips was to remove SpecOps GPUpdate, which I did and no change. I also tried to refer to the account by using CN and no change.

    Any ideas?

    Thanks,
    Alex

  • #18893
    Profile photo of i255d
    i255d
    Member

    It seems the user who is running the command doesn't have permisions to make changes to this user. We have users who can reset passwords, but they can reset domain admin's passwords.

  • #18898
    Profile photo of nyalexp .
    nyalexp .
    Participant

    Thanks for your quick reply. I am running the console under domain Admin's account. Are there any other privileges that need to be given to that account in order to do this through the PS?

  • #18922
    Profile photo of nyalexp .
    nyalexp .
    Participant

    I just tried this in the interactive session on the DC itself and I am getting the same error message. I am obviously logged in as a Domain Admin

  • #18923
    Profile photo of nyalexp .
    nyalexp .
    Participant

    I now tried a brand new test domain controller with Server 2012 R2 and same thing happened.

  • #18952
    Profile photo of Tim Pringle
    Tim Pringle
    Participant

    Hey Alex,

    Couple of suggestions
    (1) If you're able to, try disabling UAC on a DC restart it. I've seen this happen even when PowerShell is launched as an Administrator
    (2) If you are using a variable for the password, and are using any special characters in the password use [b]'[/b] instead of [b]"[/b].
    (3) If it's still not working, try this instead :

    $newPwd = ConvertTo-SecureString -AsPlainText 'New password' -Force
    Set-ADAccountPassword -Identity lseetram -Reset -NewPassword $newPwd 
    

You must be logged in to reply to this topic.