This article presents a new script, Reset-LocalAccountPassword.ps1, which makes it easier and more secure to reset local account passwords on computers.
In October 2014, I wrote an article in Windows IT Pro entitled Resetting the Local Administrator Password on Computers. Since that time, I have received a number of questions from readers with varying questions (some of which are posted after the article on the web site). There seem to have been two main kinds of questions regarding the Reset-LocalAdminPassword.ps1 script published in that article:
1. How can I safely enter the new password I want to use?
2. Can the script reset the password for a local account other than the built-in Administrator account?
3. Can I specify alternate credentials to reset local account passwords?
This article presents a new script, Reset-LocalAccountPassword.ps1, which addresses these questions and makes it easier and more secure to reset local account passwords on computers.
The syntax for the script is as follows:
Reset-LocalAccountPassword [[-ComputerName] <String>] -AdminAccount [-Password <SecureString>] [-Credential <PSCredential>]
Reset-LocalAccountPassword [[-ComputerName] <String>] -AccountName <String> [-Password
<SecureString>] [-Credential <PSCredential>] [-Confirm] [-WhatIf] [-Verbose]
The -ComputerName parameter specifies one or more computer names. Wildcards are not permitted, but you can specify multiple computer names on the script’s command line or as pipeline input. You can omit the parameter name itself (-ComputerName) if you specify a computer name (or a list of computer names) first on the script’s command line, or if you use pipeline input. You must be a member of the local Administrators group on any computer for which you want to reset a password, and the PowerShell window must be running elevated to be able to reset a password on the current computer.
The -AdminAccount parameter specifies that you want the script to find and reset the built-in Administrator account’s password. Note that this parameter works even if the Administrator account is not named Administrator because the script finds the account by its SID (security identifier) rather than its name.
The -AccountName parameter specifies a specific account’s name. You can only specify one account name, and wildcards are not permitted. You cannot specify both -AdminAccount and -AccountName in the same command; the two parameters are mutually exclusive.
The -Password parameter is a SecureString object that contains the new password you want to use. If you omit this parameter, the script will prompt for a new password twice (an initial entry and a confirmation). I recommend omitting the -Password parameter unless you are very familiar with how to save and restore SecureString objects using encrypted standard strings. (See the previous article for more information about this topic.)
The -Credential parameter is a PSCredential object containing administrative credentials that can reset passwords on each computer. I will elaborate more on this parameter in a moment.
Since resetting passwords is a high-impact change, the script will prompt for confirmation before resetting a password. You can disable confirmation by specifying the parameter -Confirm:$false on the script’s command line.
The -Verbose and -WhatIf parameters behave in a similar manner to PowerShell cmdlets. If you have disabled confirmations using -Confirm:$false, -Verbose causes the script to output each password reset it completes, and the -WhatIf parameter causes the script to report what passwords it would reset without actually taking any actions.
Prompting for the Password
The Reset-LocalAdminPassword.ps1 script from the previous article did not have a way to prompt you twice for the new password (i.e., enter it once, then again to confirm). Instead, I provided a separate sample script that provided the initial and confirmation password prompts. To make Reset-LocalAccountPassword.ps1 easier to use, the password confirmation prompt is now a built-in feature. That is, when you omit the -Password parameter (recommended), the script will prompt you to enter the new password twice.
Also, the sample script from the previous article decrypted the entered passwords in memory to compare them. In contrast, Reset-LocalAccountPassword.ps1 uses a new function that compares the SecureString objects in memory without decrypting them first, so it’s more secure than sample script from the previous article.
Reset-LocalAccountPassword.ps1 must still temporarily decrypt SecureString objects in memory before making changes. Unfortunately, there’s no workaround for this limitation, but the script only decrypts the SecureString objects temporarily, and it does not send the new password in clear-text over the network.
The -Credential Parameter
If you omit the -Credential parameter, Reset-LocalAdminPassword.ps1 uses the current account’s logon credentials to attempt the password reset(s). In other words, the current logon credentials must have sufficient permission to reset the local account passwords. If your current account does not have enough permission, you can use the Get-Credential cmdlet to create a PSCredential object to specify credentials (I will show an example of this in the next section).
There are three things to note regarding the -Credential parameter:
1. As with the -Password parameter, the script must temporarily decrypt the PSCredential object’s password in local memory, but the script does not send the password in clear-text over the network.
2. The -Credential parameter is not useful on the current computer because it does not bypass the need for elevation. That is, you still have to right-click the PowerShell icon and choose Run as administrator to reset a password on the current computer. (Of course, if you are already elevated, you don't need alternate credentials.)
3. You may need to set the LocalAccountTokenFilterPolicy registry value to 1 on non-domain joined remote computers running Windows Vista or later for password resets to work. See Microsoft Knowledge base article 951016 for more information.
Let’s take a look at some real-world examples of how to use the script.
1. Reset the built-in Administrator account on the local computer:
Figure 1 shows this command in action.
Note that the script prompts for a new password and confirms the password before continuing. (The passwords did not match at first in this example.) Also, note that the command fails with an “access denied” error. As noted previously, you must run the PowerShell window elevated (i.e., right-click the PowerShell icon and choose Run as administrator) for the script to work on the local computer.
Figure 2 shows the command again without confirmation (-Confirm:$false) and with verbose output (-Verbose). The command succeeds in Figure 2 because the PowerShell window is running elevated (note the window’s title).
2. Reset the built-in Administrator password on a remote computer:
Reset-LocalAccountPassword SALES1 -AdminAccount
This command resets the password for the built-in Administrator account on the computer named SALES1. Your current logon account must have permission to reset the password on the remote computer. The script will first prompt for a new password, and then it will prompt for confirmation before changing the password.
3. Reset a local account password on multiple computers:
Get-Content Comp.txt | Reset-LocalAccountPassword -AccountName Supervisor -Confirm:$false
This command resets the password for the Supervisor account on each computer listed in the text file Comp.txt (one computer name per line), without confirming each password change (-Confirm:$false).
4. Reset the built-in Administrator account on a remote computer using alternate credentials:
Reset-LocalAccountPassword SALES2 -AdminAccount -Credential (Get-Credential)
This command resets the password for the built-in Administrator account on the computer SALES2. This command will prompt for credentials that have permission to perform the password reset using the Get-Credential cmdlet. The parentheses around Get-Credential tell PowerShell to evaluate the cmdlet as an expression. (Without the parentheses, PowerShell will think you are passing the -Credential parameter a string.)
Administering the Passwords for your Local Accounts
Unlike the Reset-LocalAdminPassword.ps1 script in my previous article, Reset-LocalAccountPassword.ps1 prompts safely for password confirmation, can reset passwords for a local account other than the built-in Administrator account, and supports alternate credentials. Add the Reset-LocalAccountPassword.ps1 script to your toolkit and take control of local account passwords on your computers.