none
Active direcyory RRS feed

  • Question

  • dear team,

    i want to change my compange all users password how we able to change or reset all users login ID password in AD 

    please share any good way or command step by step windows 2008 r2 standard AD Server 

    • Contain a combination of at least three of the following characters: uppercase letters, lowercase letters, numbers, symbols (punctuation marks)
    Thursday, June 9, 2016 8:31 AM

Answers

All replies

  • Hello,

    This article might help you out:

    https://technet.microsoft.com/en-us/library/hh994572(v=ws.11).aspx

    After this you can use this command to force all users to change their password at next logon:

    dsquery user | dsmod user -mustchpwd yes

    CAUTION its include Domain Administrator also.

    You can also use "ou" for a group of users instead of "user"

    You can also try this if you have a group that contains all the users and no admins and such:

    get-adgroup "Group Name" | Get-ADGroupMember -Recursive | set-aduser -ChangePasswordAtLogon $True

    Thursday, June 9, 2016 8:40 AM
  • Hi Kumar,

    Please refer the scripts and threads which will help you.

    https://gallery.technet.microsoft.com/scriptcenter/Reset-password-for-all-412fbc72

    http://serverfault.com/questions/207115/how-do-i-bulk-reset-passwords-for-all-users-in-an-ou

    Note : Enable Password complexity in AD domain, if not enabled.

    If this policy is enabled, passwords must meet the following link minimum requirements when they are changed or created: https://technet.microsoft.com/en-in/library/cc786468%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    want to understand, why do you want to do this activity ?


    Devaraj G | Technical solution architect

    Thursday, June 9, 2016 11:43 AM
  • ok thanks sir what need to do below point.

    • Contain a combination of at least three of the following characters: uppercase letters, lowercase letters, numbers, symbols (punctuation marks)

    Thursday, June 9, 2016 1:07 PM
  • Edit the default Group Policy on the root domain object and enable "Password must meet complexity requirements". This policy is found under Computer Configuration, Windows Settings, Security Settings, Account Policies/Password Policy. The image below shows what it looks like the Group Policy editor:


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Thursday, June 9, 2016 3:00 PM
  • You can also try this free local user management tool which provides a hassle-free environment to reset domain users password within few clicks.
    Friday, June 10, 2016 4:35 AM
  • Dear Rechard Sir,

    i follow your suggestion make one group add 5 members that group and enable password must meet complexity that group but i am able to make password added members below format also

    alone@2010   what need to do where i am wrong sir?please see screen shot

     

    Monday, June 13, 2016 6:43 AM
  • Password policy can only be applied to the domain object, where it applies to all users in the domain. Group policies applied elsewhere have no affect. The exception is if you use Fine-Grained password policies, which can apply to groups. See this Wiki article, and the section on applying the policy to security groups:

    http://social.technet.microsoft.com/wiki/contents/articles/4627.ad-ds-fine-grained-password-policies.aspx


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Monday, June 13, 2016 1:46 PM
  • Hi Rechard sir,

    i follow your suggestion and removed group and select Authenticated user but it not apply if i restnew password alone@2011 then also accept

    please help sir what i do wrong here 

    Thursday, July 7, 2016 1:03 PM
  • Do you see the same settings when you click on the "Settings" tab for the "Default Domain Policy"? If so, then all users should be required to select a complex password the next time they change their password. Until the users change their password, their existing password will still work.

    If the policy is not being applied to the users on a particular computer, use the following command at a command prompt of the computer to make sure the new policy has been applied.

    gpupdate /force

    A complex password must be at least 6 characters long (unless the minimum length setting is greater) and have at least three of the following 4 types of characters: upper case letters (A thru Z), lower case letters (a thru z), digits (0 thru 9), symbols ( such as #, $, or @). It also cannot include more than 2 consecutive characters in the username (or the users full name). If your password is "alone@2011" that should meet the requirement (unless the username includes the string "alone"). That is a complex password (it has a lower case letter, a symbol, and a digit, and is more than 6 characters long).

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Thursday, July 7, 2016 2:37 PM
  • Thx your replay rechard sir

    please check below 2nd  screen shot in seeting tab 

    Sir, i enable password must meet complex.... but up 3 not defined need to enable that also or it good check my 1st screen shot sir

    Friday, July 8, 2016 6:46 AM
  • sir i run gpupdate/foce if i keep password alone12  then also it accept
    Friday, July 8, 2016 9:16 AM
  • On your PDC emulator, create a RSoP results report through GPMC and
    check for your complexity setting.
     
    Friday, July 8, 2016 10:35 AM
  • Group Policy Results 
    UTILITY\server.admin on UTILITY\NETWORK1 
    Data collected on: 7/9/2016 5:26:06 PM  
    
    
    
    Summary
    
    
    Computer Configuration Summary
    
    
    General
    
    
    
    Computer name UTILITY\NETWORK1 
    Domain utility.esselgroup.com 
    Site Default-First-Site-Name 
    Last time Group Policy was processed 7/9/2016 4:03:08 PM 
    
    Group Policy Objects
    
    
    Applied GPOs
    
    
    
    
    Name
    
    Link Location
    
    Revision
    
    Login Audit utility.esselgroup.com AD (12), Sysvol (12) 
    Logon Disclaimer utility.esselgroup.com AD (8), Sysvol (8) 
    PC-to-PC Video OFF utility.esselgroup.com AD (6), Sysvol (6) 
    UtilityWsus utility.esselgroup.com AD (4), Sysvol (4) 
    Default Domain Policy utility.esselgroup.com AD (160), Sysvol (160) 
    
    Denied GPOs
    
    
    
    
    Name
    
    Link Location
    
    Reason Denied
    
    Local Group Policy Local Empty 
    {C4525360-8A48-444B-AA37-725F2F605C12} utility.esselgroup.com Inaccessible 
    {5F3420A1-634C-40C1-A8D8-9586C71E3C38} utility.esselgroup.com Inaccessible 
    FileSharing utility.esselgroup.com Empty 
    {6525C8A2-F79C-4F8A-B0BA-2BFF20E846C4} utility.esselgroup.com Disabled Link 
    {D8C0B388-6B34-45D0-A691-EEE863B11652} utility.esselgroup.com Disabled Link 
    {71D2EC6A-3475-4527-9AC6-F0642DCBFE56} utility.esselgroup.com Disabled Link 
    {27AF1C62-C15E-4F77-AC06-128287FABAFD} utility.esselgroup.com Disabled Link 
    X drive HR sagar utility.esselgroup.com Empty 
    Sagar Y drive utility.esselgroup.com Empty 
    Network Seeting Disabled utility.esselgroup.com Empty 
    {C2F89C4B-85B2-45D5-AC89-D45537FA2CE8} utility.esselgroup.com Inaccessible 
    {D468A671-E12E-4514-846A-83C38C4F0EBA} utility.esselgroup.com Disabled Link 
    {966DA857-CE1A-4973-AB3B-F6F279724C8F} utility.esselgroup.com Disabled Link 
    
    Security Group Membership when Group Policy was applied
    
    
    BUILTIN\Administrators
    Everyone
    BUILTIN\Users
    NT AUTHORITY\NETWORK
    NT AUTHORITY\Authenticated Users
    NT AUTHORITY\This Organization
    UTILITY\NETWORK1$
    UTILITY\Domain Computers
    Mandatory Label\System Mandatory Level
    
    WMI Filters
    
    
    
    
    Name
    
    Value
    
    Reference GPO(s)
    
    None 
    
    Component Status
    
    
    
    
    Component Name
    
    Status
    
    Last Process Time
    
    Group Policy Infrastructure Success 7/9/2016 4:03:16 PM 
    Registry Success 7/9/2016 4:03:09 PM 
    Security Success 7/9/2016 4:03:16 PM 
    
    
    User Configuration Summary
    
    
    General
    
    
    
    User name UTILITY\server.admin 
    Domain utility.esselgroup.com 
    Last time Group Policy was processed 7/9/2016 4:03:53 PM 
    
    Group Policy Objects
    
    
    Applied GPOs
    
    
    
    
    Name
    
    Link Location
    
    Revision
    
    X drive HR sagar utility.esselgroup.com AD (10), Sysvol (10) 
    Sagar Y drive utility.esselgroup.com AD (30), Sysvol (30) 
    Network Seeting Disabled utility.esselgroup.com AD (7), Sysvol (7) 
    PC-to-PC Video OFF utility.esselgroup.com AD (6), Sysvol (6) 
    USB Block Utility utility.esselgroup.com AD (4), Sysvol (4) 
    FileSharing utility.esselgroup.com AD (96), Sysvol (96) 
    Utility Wallpaper utility.esselgroup.com AD (19), Sysvol (19) 
    Default Domain Policy utility.esselgroup.com AD (34), Sysvol (34) 
    
    Denied GPOs
    
    
    
    
    Name
    
    Link Location
    
    Reason Denied
    
    Local Group Policy Local Empty 
    UtilityWsus utility.esselgroup.com Empty 
    IT-WallPAPER utility.esselgroup.com Access Denied (Security Filtering) 
    {6525C8A2-F79C-4F8A-B0BA-2BFF20E846C4} utility.esselgroup.com Disabled Link 
    {D8C0B388-6B34-45D0-A691-EEE863B11652} utility.esselgroup.com Disabled Link 
    {71D2EC6A-3475-4527-9AC6-F0642DCBFE56} utility.esselgroup.com Disabled Link 
    {27AF1C62-C15E-4F77-AC06-128287FABAFD} utility.esselgroup.com Disabled Link 
    {D468A671-E12E-4514-846A-83C38C4F0EBA} utility.esselgroup.com Disabled Link 
    Login Audit utility.esselgroup.com Empty 
    {966DA857-CE1A-4973-AB3B-F6F279724C8F} utility.esselgroup.com Disabled Link 
    Logon Disclaimer utility.esselgroup.com Empty 
    Printer policy utility.esselgroup.com/Utility/Mumbai Empty 
    
    Security Group Membership when Group Policy was applied
    
    
    UTILITY\Domain Users
    Everyone
    BUILTIN\Remote Desktop Users
    BUILTIN\Network Configuration Operators
    BUILTIN\Users
    NT AUTHORITY\INTERACTIVE
    CONSOLE LOGON
    NT AUTHORITY\Authenticated Users
    NT AUTHORITY\This Organization
    LOCAL
    UTILITY\USB-Block
    UTILITY\Utility-wallpaper
    UTILITY\Mumbai1
    UTILITY\password
    UTILITY\ecms_group
    UTILITY\owncloudgroup
    ESSELGROUP\Enterprise Admins
    ESSELGROUP\VPN_Users
    ESSELGROUP\Organization Management
    ESSELGROUP\FTPUsers
    UTILITY\Denied RODC Password Replication Group
    Mandatory Label\Medium Mandatory Level
    
    WMI Filters
    
    
    
    
    Name
    
    Value
    
    Reference GPO(s)
    
    None 
    
    Component Status
    
    
    
    
    Component Name
    
    Status
    
    Last Process Time
    
    Group Policy Infrastructure Success 7/9/2016 4:03:54 PM 
    Group Policy Drive Maps Success 7/9/2016 4:03:54 PM 
    Registry Success 7/9/2016 4:03:09 PM 
    Scripts Success 7/9/2016 4:03:09 PM 
    
    
    
    Computer Configuration
    
    
    Policies
    
    
    Windows Settings
    
    
    Security Settings
    
    
    Account Policies/Password Policy
    
    
    
    
    Policy
    
    Setting
    
    Winning GPO
    
    Password must meet complexity requirements Enabled Default Domain Policy 
    
    Account Policies/Account Lockout Policy
    
    
    
    
    Policy
    
    Setting
    
    Winning GPO
    
    Account lockout threshold 0 invalid logon attempts Default Domain Policy 
    
    Local Policies/Audit Policy
    
    
    
    
    Policy
    
    Setting
    
    Winning GPO
    
    Audit logon events Success, Failure Login Audit 
    
    Local Policies/Security Options
    
    
    Interactive Logon
    
    
    
    
    Policy
    
    Setting
    
    Winning GPO
    
    Interactive logon: Message text for users attempting to log on By Logging-in you will be entering into a 'Secure System' as defined under the Information Technology Act, 2000 . Any trespassing, unauthorized access or attempt to get unauthorized access and after logging-in any misuse of authorization may attract appropriate disciplinary action at the sole discretion of the Management and civil and criminal liabilities as applicable. Logon Disclaimer 
    Interactive logon: Message title for users attempting to log on Essel Utility Logon Disclaimer 
    
    Network Access
    
    
    
    
    Policy
    
    Setting
    
    Winning GPO
    
    Network access: Allow anonymous SID/Name translation Disabled Default Domain Policy 
    
    Network Security
    
    
    
    
    Policy
    
    Setting
    
    Winning GPO
    
    Network security: Do not store LAN Manager hash value on next password change Enabled Default Domain Policy 
    Network security: Force logoff when logon hours expire Disabled Default Domain Policy 
    Network security: LDAP client signing requirements Require signing Default Domain Policy 
    
    User Account Control
    
    
    
    
    Policy
    
    Setting
    
    Winning GPO
    
    User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode Elevate without prompting Default Domain Policy 
    User Account Control: Detect application installations and prompt for elevation Disabled Default Domain Policy 
    User Account Control: Only elevate UIAccess applications that are installed in secure locations Disabled Default Domain Policy 
    User Account Control: Run all administrators in Admin Approval Mode Disabled Default Domain Policy 
    
    Restricted Groups
    
    
    
    
    Group
    
    Members
    
    Winning GPO
    
    UTILITY\Domain Users  Default Domain Policy 
    
    Public Key Policies/Certificate Services Client - Auto-Enrollment Settings
    
    
    
    
    Policy
    
    Setting
    
    Winning GPO
    
    Automatic certificate management Enabled [Default setting] 
    
    
    Option
    
    Setting
    
    Enroll new certificates, renew expired certificates, process pending certificate requests and remove revoked certificates Disabled 
    Update and manage certificates that use certificate templates from Active Directory Disabled 
     
    
    Public Key Policies/Encrypting File System
    
    
    Certificates
    
    
    
    
    Issued To
    
    Issued By
    
    Expiration Date
    
    Intended Purposes
    
    Winning GPO
    
    Administrator Administrator 10/26/2113 5:31:22 PM File Recovery Default Domain Policy 
    
    For additional information about individual settings, launch Group Policy Object Editor.
    Public Key Policies/Trusted Root Certification Authorities
    
    
    Properties
    
    
    
    Winning GPO [Default setting] 
    
    
    
    Policy
    
    Setting
    
    Allow users to select new root certification authorities (CAs) to trust Enabled 
    Client computers can trust the following certificate stores Third-Party Root Certification Authorities and Enterprise Root Certification Authorities 
    To perform certificate-based authentication of users and computers, CAs must meet the following criteria Registered in Active Directory only 
    
    
    Administrative Templates
    
    
    Policy definitions (ADMX files) retrieved from the local machine.
    
    Microsoft Office Communicator Policy Settings/Microsoft Office Communicator Feature Policies
    
    
    
    
    Policy
    
    Setting
    
    Winning GPO
    
    Allow storage of user passwords Enabled PC-to-PC Video OFF 
    Allow transfering unencrypted files Enabled PC-to-PC Video OFF 
    Disable Audio/Video Conferencing Enabled PC-to-PC Video OFF 
    Disable PC-to-PC Video Enabled PC-to-PC Video OFF 
    Telephony Mode Enabled PC-to-PC Video OFF 
    
    TelephonyMode 5 = IM and Presence Only 
     
    
    Windows Components/Windows Installer
    
    
    
    
    Policy
    
    Setting
    
    Winning GPO
    
    Always install with elevated privileges Enabled Default Domain Policy 
    
     
    This setting must be set for the machine and the user to be enforced. 
     
    
    Windows Components/Windows Update
    
    
    
    
    Policy
    
    Setting
    
    Winning GPO
    
    Allow non-administrators to receive update notifications Enabled UtilityWsus 
    Configure Automatic Updates Enabled UtilityWsus 
    
    Configure automatic updating: 3 - Auto download and notify for install 
    The following settings are only required 
    and applicable if 4 is selected. 
    Scheduled install day:  0 - Every day 
    Scheduled install time: 03:00 
     
    
    Policy
    
    Setting
    
    Winning GPO
    
    Specify intranet Microsoft update service location Enabled UtilityWsus 
    
    Set the intranet update service for detecting updates: http://10.1.1.225:8530 
    Set the intranet statistics server: http://10.1.1.225:8530 
    (example: http://IntranetUpd01) 
     
    
    
    User Configuration
    
    
    Policies
    
    
    Windows Settings
    
    
    Scripts
    
    
    Logoff
    
    
    
    
    Name
    
    Parameters
    
    Last Run
    
    Script Order in GPO
    
    Winning GPO
    
    \\10.1.1.25\Wallpaper\RemoveWallpaperCache.bat  7/9/2016 4:03:33 PM Not configured Default Domain Policy 
    
    Security Settings
    
    
    Public Key Policies/Certificate Services Client - Auto-Enrollment Settings
    
    
    
    
    Policy
    
    Setting
    
    Winning GPO
    
    Automatic certificate management Enabled [Default setting] 
    
    
    Option
    
    Setting
    
    Enroll new certificates, renew expired certificates, process pending certificate requests and remove revoked certificates Disabled 
    Update and manage certificates that use certificate templates from Active Directory Disabled 
     
    Show certificate expiry notifications Disabled [Default setting] 
    
    Software Restriction Policies
    
    
    
    Winning GPO Default Domain Policy 
    
    
    Enforcement 
    
    
    Policy
    
    Setting
    
    Apply software restriction policies to the following All software files except libraries (such as DLLs) 
    Apply software restriction policies to the following users All users 
    When applying software restriction policies Ignore certificate rules 
     
    Designated File Types 
    
    
    File Extension
    
    File Type
    
    ADE Microsoft Access Project Extension 
    ADP Microsoft Access Project 
    BAS BAS File 
    BAT Windows Batch File 
    CHM Compiled HTML Help file 
    CMD Windows Command Script 
    COM MS-DOS Application 
    CPL Control panel item 
    CRT Security Certificate 
    EXE Application 
    HLP Help file 
    HTA HTML Application 
    INF Setup Information 
    INS INS File 
    ISP ISP File 
    LNK Shortcut 
    MDB Microsoft Access Database 
    MDE Microsoft Access MDE Database 
    MSC Microsoft Common Console Document 
    MSI Windows Installer Package 
    MSP Windows Installer Patch 
    MST MST File 
    OCX ActiveX control 
    PCD PCD File 
    PIF Shortcut to MS-DOS Program 
    REG Registration Entries 
    SCR Screen saver 
    SHS SHS File 
    URL Internet Shortcut 
    VB VB File 
    WSC Windows Script Component 
     
    Trusted Publishers 
    
    Trusted publisher management Allow all administrators and users to manage user's own Trusted Publishers 
    Certificate verification None 
     
    
    Software Restriction Policies/Security Levels
    
    
    
    
    Policy
    
    Setting
    
    Winning GPO
    
    Default Security Level Unrestricted Default Domain Policy 
    
    Software Restriction Policies/Additional Rules
    
    
    Path Rules
    
    
    
    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% 
    
    Security Level Unrestricted 
    Description  
    Date last modified 12/21/2013 1:26:37 AM 
    Winning GPO Default Domain Policy 
     
    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% 
    
    Security Level Unrestricted 
    Description  
    Date last modified 12/21/2013 1:26:37 AM 
    Winning GPO Default Domain Policy 
     
    C:\ 
    
    Security Level Unrestricted 
    Description  
    Date last modified 12/21/2013 1:28:34 AM 
    Winning GPO Default Domain Policy 
     
    
    
    Administrative Templates
    
    
    Policy definitions (ADMX files) retrieved from the local machine.
    
    Desktop/Desktop
    
    
    
    
    Policy
    
    Setting
    
    Winning GPO
    
    Desktop Wallpaper Enabled Utility Wallpaper 
    
    Wallpaper Name: \\10.1.1.25\Wallpaper\Corporate Wallpaper FINAL-01.jpg 
    Example: Using a local path: C:\windows\web\wallpaper\home.jpg 
    Example: Using a UNC path: \\Server\Share\Corp.jpg 
    Wallpaper Style: Fit 
     
    
    Microsoft Office Communicator Policy Settings/Microsoft Office Communicator Feature Policies
    
    
    
    
    Policy
    
    Setting
    
    Winning GPO
    
    Allow transfering unencrypted files Enabled PC-to-PC Video OFF 
    Disable Audio/Video Conferencing Enabled PC-to-PC Video OFF 
    Disable PC-to-PC Video Enabled PC-to-PC Video OFF 
    Telephony Mode Enabled PC-to-PC Video OFF 
    
    TelephonyMode 5 = IM and Presence Only 
     
    
    System/Removable Storage Access
    
    
    
    
    Policy
    
    Setting
    
    Winning GPO
    
    Removable Disks: Deny read access Enabled USB Block Utility 
    Removable Disks: Deny write access Enabled USB Block Utility 
    
    Windows Components/Internet Explorer
    
    
    
    
    Policy
    
    Setting
    
    Winning GPO
    
    Disable changing home page settings Enabled Default Domain Policy 
    
    Home Page myessel.esselgroup.com 
     
    
    Windows Components/Windows Installer
    
    
    
    
    Policy
    
    Setting
    
    Winning GPO
    
    Always install with elevated privileges Enabled Default Domain Policy 
    
     
    This setting must be set for the machine and the user to be enforced. 
     
    

    please check my generated report and help to resolve this 
    Saturday, July 9, 2016 12:14 PM
  • The report above shows that "Password must meet complexity requirements" is enabled. As I noted before, the password "alone@2011" meets the complexity requirements (unless the user name includes the string "alone").

    Are you saying that a password that is not complex is accepted? If so, what is the password.

    Are you saying that a password that is complex is not accepted? If so, what is the password.

    And I assume the user is logging into the domain, and not into the local computer (where the password requirements can be different).


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Saturday, July 9, 2016 2:21 PM
  • alone212 if i put new password then also it accept
    Monday, July 11, 2016 11:21 AM
  •  > Security Group Membership when Group Policy was applied
    [...]
     > UTILITY\NETWORK1$
     > UTILITY\Domain Computers
     This RSoP is _not_ from the PDC emulator, but from a member computer. As
    said above: Password policies for domain users must be applied to the
    PDC emulator.
     
    Monday, July 11, 2016 12:16 PM
  • then what need to do
    Tuesday, July 12, 2016 4:45 AM