Monday, February 13, 2017

Set-ADAccountPassword only respects history if -OldPassword is specified

Forcibly resetting a user's password in Active Directory - e.g. with the Set-ADAccountPassword cmdlet - does not respect the password history. This makes sense, since account operators should have no special knowledge about a user's password choices (other than the new forced password). Interestingly, though, resetting a password does not destroy the password history.

If you first force-reset the password to some known string by not supplying the -OldPassword parameter, you can then make another setting call that does supply -OldPassword (now the just-reset one), and that latter call will check the history. This does have the disadvantage of leaving the temporary password set if the second set fails, but it's interesting to observe.

No comments:

Post a Comment