PS script to change passwords and email them

by generalcornwallis at 2012-12-17 07:45:40


I have been recently trained in active directory. The AD training covered some powershell in it but I am certainly no expert. I am, sadly, the closest thing to an "Expert" that there is here at my organization. I have been trying for about a week to get a script together that does the following:

Resets all users paswords in an OU to something unique for each user
Securely emailing those passwords to the user

Is this even possible with powershell? From what I have found you can’t pipe email addresses to send-mailmessage, but of course that isnt even a secure method of mailing passwords. Any feedback is welcome.

EDIT: The purpose of this is because we are finally getting off of the old samba/linux DC and moving to AD. We are a small organization so there are less than 800 users.
by ArtB0514 at 2012-12-17 08:51:35
What we ususally do is to set the initial password to something like "<LastName><FirstInitial>012345" and require password change on first login and tell the user to login within 24 hours. After that, we verify that the password has changed and, if not, we change the password again and notify the user’s manager.

If what you are looking for is just a list of random passwords, then this is a brute force way to generate a bunch of 10 character strings using upper and lower letters, number, and symbols.
$String = 'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z',
$Passwords = @()
0…800 | foreach {
$pw = ""
0…10 | foreach {$pw += $String | Get-Random}
$Passwords += $pw
by generalcornwallis at 2012-12-18 11:24:43
Thanks for the reply, Art. The random code is far less of a problem as making send-mailmessage work with a list. Seems send-mailmessage cant accept a piped output so I cant send to anyone even if i had the damn thing working right. Foreach is also a problem. Ive seen many examples of its use but it remains a problem for me.
by nohandle at 2012-12-18 11:38:41
You are looking just for simple foreach loop, you have list of users (from AD) and you pipe them to foreach-object like in this model situation:
<#some way to get the user objects#>|ForEach-Object {

#for each object that is passed to pipeline do all these actions
# $
represents the current object in pipeline - the user you work with
# saving it in new variable is not necessary but makes this example more readable
$currentUser = $

$password = #some function to genereate passoword
$ErrorDuringMailSend = $null
Send-MailMessage -Subject "this is your new password" -From "" -ErrorVariable ErrorDuringMailSend -To $
if ($ErrorDuringMailSend)
#there was error sending the mail do some action like logging it

by generalcornwallis at 2012-12-19 09:48:23

Here is the script I am working with currently. It is similar to how you suggested but not quite the same.

if(@(get-module | where-object {$
.Name -eq "ActiveDirectory"} ).count -eq 0) {import-module ActiveDirectory}
$accounts=get-aduser -filter * -searchbase "ou=test,dc=my,dc=company" -properties * |where {$.Enabled -eq "True"}| where { $.EmailAddress -ne $null }|where { $.EmailAddress -ne "UNKNOWN" }
$subject="Test email subject"
$body="Test email body"

function randpass
$randomnum12= get-random -maximum 12
$pwdcreate=$bigwords[$randomnum12] + "."
do {
$randomnum12 = get-random -maximum 12
#write-host $word
$pwdcreate= $pwdcreate + $word + "."
#write-host $pwdcreate
While ($a -lt 2)
do {
$randomnum10 = get-random -maximum 10
$pwdcreate=$pwdcreate + $randomnum10
#write-host $pwdcreate
while ($b -lt 4)
return $pwdcreate

foreach ($x in $accounts)
$currentuser = $

Set-ADAccountPassword -Identity $x -reset -Newpassword (ConvertTo-SecureString -AsPlainText $temppass -Force)
"$X : $temppass"|out-file -append $outfile
Send-MailMessage -From $from -To $currentuser.mail -Subject $subject -Body $body -smtpserver $smtpserver

After running the script I get this error for each user in my test OU. I believe after this hurdle is taken care of I can finely tune this script.
Send-MailMessage : Cannot validate argument on parameter 'To'. The argument is null or empty. Supply an argument that is not null or empty and then try the command again.
At H:\scripts\Untitled8.ps1:43 char:34
+ Send-MailMessage -From $from -To $to -Subject $subject -Body $body -smtpserver $ …
+ ~~~
+ CategoryInfo : InvalidData: (:slight_smile: [Send-MailMessage], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.SendMailMessage
by nohandle at 2012-12-20 00:12:10
You try to assign $to variable to the ‘To’ parameter but you don’t create the variable first. Create the variable and assign email address to it.
by generalcornwallis at 2012-12-20 08:54:38
I got it working now, finally. Thanks to everyone for their help. This is the code I ended up with at the bottom:
$users = import-csv "h:\test.csv"
foreach($user in $users){
Get-ADUser -Identity $user.samaccountname -Properties *
Set-ADAccountPassword -Identity $user.samaccountname -reset -Newpassword (ConvertTo-SecureString -AsPlainText $temppass -Force)
$body="Your COMPANY password needs to be changed. You can log into the COMPANY WEBSITE to change your password. Your username is $username and your temporary password is: $temppass"
Send-MailMessage -From $from -To $user.mail -Subject $subject -Body $body -smtpserver $smtpserver