Home Dashboard Directory Help
Search

Bug in Set-ADAccountPassword cmdlet by Baterias


Status: 

Active


12
0
Sign in
to vote
Type: Bug
ID: 777142
Opened: 1/22/2013 5:14:30 AM
Access Restriction: Public
0
Workaround(s)
view
5
User(s) can reproduce this bug

Description

I have two Active Directory environment: production.mycompany.com and development.mycompany.com. I must change passwords on all employees in development environment. I tried this command:

Get-ADUser -filter * -SearchBase "ou=employees,dc=development,dc=mycompany,dc=com" -Server dc.development.mycompany.com|%{Set-ADAccountPassword $_.samaccountname -reset -NewPassword $pass -Credential $Adm -WhatIf}

This command has an serius error: credential $Adm belongs production environment. But no problem,-whatif parameter prevents damages in domain accounts.

Horror! -whatif parameter doesn't work in Set-ADAccountPassword cmdlet. My employees lost them passwords.

This is a serius bug in activedirectory module.
Details
Sign in to post a comment.
Posted by TQuerec [MSFT] on 7/8/2014 at 5:05 PM
Hi everyone, Thanks for the feedback on the AD cmdlets. I agree that the behavior of the AD cmdlets with regards to -WhatIf is confusing, especially when using the cmdlets that make object modifications. I'll consider taking a change in a future version to improve this.

chustedde, With regards to the behavior of Set-ADAcountPassword when only -NewPassword is supplied. When run in this mode the cmdlet first attempts to perform a reset on the account. If this fails it will require -OldPassword to be supplied. The intent was to try best a effort to successfully change the password without requiring user's to supply -reset if they had permissions to perform a reset. Is this confusing? Would you have preferred it to fail and require -OldPassword or is this issue compounded by the lack of -WhatIf support? The only possible change for this would be to require -OldPassword but that could break current users of the cmdlet.

Sincerely,
Travis Querec[MSFT]
Posted by chustedde on 4/28/2014 at 7:03 AM
This is even worse:

Set-ADAccountPassword -Identity $sAMAccountName -Server $server -NewPassword $password -ErrorAction Stop

The above command can reset a password for an existing user who already has a password, when in the documentation it says it shouldn't be able to unless -OldPassword is provided.
Posted by sup3rw0rm on 8/22/2013 at 1:01 PM
I can verify this. I was bitten by this last night.

Set-ADAccountPassword -Identity $User -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "password" -Force) -WhatIf
Sign in to post a workaround.