I'm writing a PS script to change an AD account's password by:

• grabbing current user password from a Key Vault

• Create a PSCredential $credential using the user's username and password obtained from KV

• Generate new password in plain text and convert to secure string $newpass

• Running Set-ADAccountPassword:

  Set-ADAccountPassword -Identity "testuser" -Reset -NewPassword $newpass -Credential $credential

This fails with "Set-ADAccountPassword: Access is denied". The $credential object contains the current user's credentials which are valid (I'm testing this in advance).

As I understand it users have SELF as able to change their own password, as they can just CTRL ALT DEL to reset it. In this case, this account is not allowed interactive logins (so I can't test in a PS terminal using RUNAS), and powershell would be an easy wait to change the password periodically.

Why am I getting access denied, and is there a way around this?

CodePudding user response：

There are two types of password update operations natively supported by AD:

• Password Reset
  • In this operation, permission to update the account password is granted to an administrative user who can then set it without having to know the existing password
• Password Change
  • In this operation, the calling user supplies the existing password as an argument, this authenticating the change - this is what you want!

When you specific the -Reset switch parameter, Set-ADAccountPassword takes it to mean you want to perform a password reset.

To perform a password change instead:

• Remove the -Reset switch
• Pass the existing password value as an argument to the -OldPassword parameter