Description of password-change protocols in Windows

This article describes the mechanisms for changing passwords in Windows.

Original product version: В Windows 10, Windows Server 2012 R2
Original KB number: В 264480

Summary

Windows uses many different mechanisms for changing passwords. This article describes those mechanisms.

More information

The supported password-change protocols are:

1. The NetUserChangePassword protocol
2. The NetUserSetInfo protocol
3. The Kerberos change-password protocol (IETF Internet Draft Draft-ietf-cat-kerb-chg-password-02.txt) [port 464]
4. Kerberos set-password protocol (IETF Internet Draft Draft-ietf-cat-kerberos-set-passwd-00.txt) [port 464]
5. Lightweight Directory Access Protocol (LDAP) write-password attribute (if 128-bit Secure Sockets Layer [SSL] is used)
6. XACT-SMB for pre-Microsoft Windows NT (LAN Manager) compatibility

Change-password operations require that the user’s current password be known before the change is allowed. Set-password operations don’t have this requirement, but are controlled by the Reset Password permissions on the account.

When you’re using LDAP (method 5), the domain controller and the client must both be able to use 128-bit SSL to protect the connection. If the domain controller isn’t configured for SSL or if appropriately long keys aren’t available, the password-change write is denied.

An Active Directory domain controller listens for change-password requests on all of these protocols.

As stated earlier in this article, different protocols are used in different circumstances. For example:

• Interoperable Kerberos clients use the Kerberos protocols. UNIX-based systems with MIT Kerberos version 5 1.1.1 can change user passwords in a Windows-based domain by using the Kerberos change-password protocol (method 3).
• When users change their own passwords by pressing CTRL+ALT+DELETE and then clicking Change Password, Windows NT up to Windows 2003 the NetUserChangePassword mechanism (method 1) is used if the target is a domain. From Windows Vista onwards, the Kerberos change password protocol is used for domain accounts. If the target is a Kerberos realm, the Kerberos change-password protocol (method 3) is used.
• Requests to change a password from computers that are running Microsoft Windows 95/Microsoft Windows 98 use XACT-SMB (method 6).
• A program that uses the ChangePassword method on the Active Directory Services Interface (ADSI) IaDSUser interface first tries to change the password by using LDAP (method 5), and then by using the NetUserChangePassword protocol (method 1).
• A program that uses the SetPassword method on the ADSI IaDSUser interface first tries to change the password by using LDAP (method 5), then the Kerberos set-password protocol (method 4), and then the NetUserSetInfo protocol (method 2).
• The Active Directory Users and Computers snap-in uses ADSI operations for setting user passwords.

—>

Changing user password in Windows Server 2012 with Active Directory

Changing an AD password

This manual describes how to change a password for a server with Active Directory domain service. For this purpose, open «Start» -> «Administrative Tools» -> «Active Directory Users and Computers»

In the new window that appears, open the section containing the name of your domain – in the screenshot this is «example.com» – and click on the «Users» folder.

The list of users will emerge on the left side; select one of the users by name and right click on «Reset Password . «

In the change password window:

1. Enter a new password (password must be at least 8 characters)
2. Check the box «User must change password at the next logon» if required.
3. Unblock the relevant user account if the user has been locked by the system.

Press «OK«. If all the data have been entered correctly, a window will appear confirming successful password change. Let’s proceed to the «Password age» function.

AD password age

On the server, the «Password age» function is set to 42 days by default which means that every 42 days your system will require a password change. Where to change or disable this feature is discussed below.

Open «Start» -> «Administrative Tools» -> «Group Policy Management»

The «Group Policy Management» window will open. In the left side block open the tree: «Forest: Your Domain Name» -> «Domains» -> «Your Domain Name» -> «Default Domain Policy»; then select the «Settings» tab in the right side block.

In the «Settings» tab, open the following tabs: «Policies» -> «Windows Settings» -> «Security Settings» -> «Account Policies / Password Policy»:

In the «Account Policy / Password Policy» list, right-click on «Maximum Password Age 42 Days» and select «Edit» in the context menu. The «Group Policy Management Editor» will open. In this editor, in the left side block, open the tree: «Computer Configuration» -> «Policies» -> «Windows Settings» -> «Security Settings» -> «Account Policies» -> «Password Policy».

In the right side block «Maximum password age is 42 days»

In the window that opens, set the value «Password age» to 0 or the value you need. «0» tells the system that the «Password age» function is disabled. In such mode, the password age is infinite.

Change user password in Windows command line

We can change a user password from Windows command line using net user command. The command is explained below with examples.

How to change local user password

For example, if you want to reset the password for the user John on the local computer, you can run the below command. Let’s say the new password is pq12d*[email protected]

You may not want to provide the new password in the command prompt for obvious security reasons. Net use command allows to reset the password so that none around your desk can see it. You need to provide * in the place of password while executing net use command. You will be prompted to type the password and the password you enter won’t be printed on the screen. But you need to feed the password twice to make sure that you have entered the password you intended to.

How to change domain user account password

If you want to change password for a domain account, you can do it by running the below command.

Next, you will be prompted twice to enter the password and on successful completion your domain account password will be reset. You can also provide the password in the command itself as explained above.

In case the domain is not reachable then you will get the below error when you try to run the above command.

hi on my VISTA computer i get this
“System error 1355 has occurred.
The specified domain either does not exist or could not be contacted.”

Make sure that your system can contact the domain controller(DC) machine. see if ‘ping ip-of-DC’ works..
ex: ping 10.20.30.40

Any command to show the password of a user?

Nope. Only reset or add password is available via command prompt on windows. Another trick is to reset the password in seconds (such as PassMoz LabWin) and add a new password to the computer so you can know what is the password is.

when i enter in my case:
net user Stingray*; to make sure my password isn’t printed on the screen it says “The syntax of the command is: and then it gives me a whole bunch of different options. it doesn’t let me put in a password

you should have whitespace between user name and *. The command should be
net user stingray *

“The user name could not be found.
More help is available by typing NET HELPMSG 2221.”
Is this happened because my username contains spaces (example : John’s Family) ?
What to do ?
Thanks

i have a problem after retyping the new password. It says

System error 5 has occurred.
Access is denied.

Looks like you don’t have admin privileges on the system to change password of another user.

right click command prompt and run as administrator.
or
select command prompt Ctl+Shift+Enter
the execute the command.

In this case you have to open the cmd as run administrator and try it again it will happen,

C:\>net user Peter Norton Jr *
The syntax of this command is:

NET USER
[username [password | *] [options]] [/DOMAIN]
username /ADD [options] [/DOMAIN]
username [/DELETE] [/DOMAIN]
C:\>NET USER ASPNET newpassword:*
System error 5 has occurred.

Access is denied.

C:\>NET USER ASPNET newpassword *
The syntax of this command is:

NET USER
[username [password | *] [options]] [/DOMAIN]
username /ADD [options] [/DOMAIN]
username [/DELETE] [/DOMAIN]
this is what i m getting when trying to change password ?
help please

please run cmd as administrator.
And you can reset password.
Thanks

How can you change the password in command line and also prompt the user to change it at his next login?
I know for sure this option exists in GUI mode “User must change password at next logon”.

Following;
Any updates on this query im curious as well tia!

This cmd command worked like a charm!
Thanks

I’ve tried many times but never get changed successfully comment.

Net user TST Main VLRIPCITY

This comment goes to those who are having issues with changing passwords for user accounts that have spaces in between (James Clark, for example). The white space in between breaks down the user name into two and affects the syntax structure i.e. net user username password.therefore the line: net user James Clark 12234, is the same as: user James, password: Clark 12234. in which the user James does not exist on the computer. try an underscore between the usernames e.g. net user James_Clark 12234.

i want to know how to login using cmd with password(i have password) without changing it.

I receive an error that says the system is not authoritative for the specified account and therefore cannot complete the operation please retry the operation using the provider associated with this account. if this is an online provider please use their providers online site. This is a local account on a Windows 10 computer so I’m a bit confused.

the command net user user_name* need to verify for password complexity and this wont work if use script such as php as we need to reenter the password ,instead using net user user_name new_password will change the password without prompt

I am not a Domain Admin.
How can i change my domain user password.

Hi ALL
I have a PC on the domain…but off the network…user cannot login and i recive password reset cause cant login into VPN
Is it possible to reset domain password via cmd
or even reset the local password via cmd.
referring to cmd on automatic repair / advanced troubleshooting screen

I really need to know how to do that when running INVOKE command, error 5 previleges still.

NET USER
[username [password | *] [options]] [/DOMAIN]
username /ADD [options] [/DOMAIN]
username [/DELETE] [/DOMAIN]
username [/TIMES:]

next what i want to do dns server not authoritative for zone please guide me what i can do for the password reset.

NET USER
[username [password | *] [options]] [/DOMAIN]
username /ADD [options] [/DOMAIN]
username [/DELETE] [/DOMAIN]
username [/TIMES:]

I keep getting this message I’m trying to change my password

NET USER
[username [password | *] [options]] [/DOMAIN]
username /ADD [options] [/DOMAIN]
username [/DELETE] [/DOMAIN]
username [/TIMES:]

I keep getting this message I’m trying to change my password

i have a problem please help me .
when i want to change my password my keyboard does’n work

NET USER
[username [password | *] [options]] [/DOMAIN]
username /ADD [options] [/DOMAIN]
username [/DELETE] [/DOMAIN]
username [/TIMES:]
I’m getting the same thing. You haven’t replied to these answers, do you not know?

I am able to change password/unlock using Active Directory utility but not able change password from command line

Have you tried with /domain, since this seems to be for a active directory account and not local one.

How can i do if my username include a point : for example Q.S ?

How to Change Password in Windows Server 2016 (4 Methods)

Browse Post Topics

Introduction

This guide demos 4 ways to change password in Windows Server 2016.

Options to Change Password in Windows Server 2016

This guide details how to change Password in Windows Server 2016 using these methods:

1. Change Password with “Ctrl + Alt + Delete”
2. Use “Edit Local Users and Groups” to Change Password
3. Change Password with Active Directory Users and Computers
4. Use PowerShell to Change Password for an Active Directory Account

Change Password with “Ctrl + Alt + Delete”

This is the easiest way to change password in Windows Server 2016. This method is applicable to change password for both local and domain accounts.

Here are the steps:

• While logged on to the server press Ctrl + Alt + Delete.

• Then click Change password.

• You will be required to provide the current password for the logged in user. Then type and retype a new password. When you finish press enter. You could also click the forward arrow (->) beside Confirm password.

Use “Edit Local Users and Groups” to Change Password

This method can only be used to change password for member servers (a server that is not a Domain Controller).

Here are the steps:

• Log on to the member server. Then type users in the search bar. Finally, click Edit local users and groups.

• When Edit local users and groups opens, click the Users node. Then right-click the user you wish to change the password and select Set Password.

• When you receive a warning message, read the details and click Proceed.

• Type your new password then confirm the password. When you have entered the new password into the two boxes click OK.

Change Password in Windows Server 2016 with Active Directory Users and Computers

This method should be used to change passwords for domain users.

Here are the steps to use this method:

• Login to a Domain Controller and open Server Manager.
• From Server Manager click Tools. Then select Active Directory Users and Computers.

• When AD Users and Computers opens, navigate to the AD container where the user is. Then right-click the user and click Reset Password…

• Type the password in the New password field. Then retype it in the Confirm password field. If you do not want to force the user to change the password when they login uncheck the box beside User must change password at next logon. You could also check Unlock the user’s account box if you wish to unlock a locked account. When you finish click OK.

Use PowerShell to Change Password in Windows Server 2016 for an Active Directory Users

You can also use PowerShell to change password for an Active Directory user.

Below is a sample command:

To use the command, change to the AD username for you the user you wish to change the password.

Also replace “[email protected]” and “[email protected]” with the old and new password respectively.

Conclusion

You can use the 4 methods discussed in this guide to change password for users in Server 2016.

Kindly use the “Leave a Reply” form to provide us feedback about this guide.

For more Windows Server guides visit our Windows Server How To page.