When attempting to change another domain user's password without logging into that account, you need specific permissions. The System error 5: Access denied typically occurs because your current account (user1) lacks sufficient privileges.
To successfully change another user's password, you need one of these:
- Domain Administrator privileges
- Account Operator rights
- Delegated password reset permissions
The most reliable method is using PowerShell with Active Directory module:
Import-Module ActiveDirectory
Set-ADAccountPassword -Identity user2 -NewPassword (ConvertTo-SecureString -AsPlainText "NewP@ssw0rd123!" -Force) -ResetThis requires the AD module installed (part of RSAT tools) and appropriate permissions.
If PowerShell isn't available, try this command-line approach:
dsquery user -name user2 | dsmod user -pwd NewP@ssw0rd123!If you have admin credentials but not currently logged in as admin:
runas /user:domain\adminaccount "powershell -command \"& {Import-Module ActiveDirectory; Set-ADAccountPassword -Identity user2 -NewPassword (ConvertTo-SecureString -AsPlainText 'NewP@ssw0rd123!' -Force) -Reset}\""If you receive "Insufficient access rights" errors:
- Verify your account has "Reset Password" permissions in Active Directory
- Check if password complexity requirements are met
- Ensure account isn't locked or disabled
For batch processing multiple accounts:
$users = Get-Content "C:\users.txt"
$newPassword = ConvertTo-SecureString "TempP@ssw0rd123!" -AsPlainText -Force
foreach ($user in $users) {
Set-ADAccountPassword -Identity $user -NewPassword $newPassword -Reset
Set-ADUser -Identity $user -ChangePasswordAtLogon $true
}When managing Windows domain accounts, administrators often need to reset passwords for other users without logging into those accounts. The common net user approach fails in domain environments because:
net user username newpassword /domain
// Returns "System error 5 - Access denied" for regular users
To successfully reset another user's password without logging in, you'll need:
- Active Directory domain environment
- Either:
- Administrative privileges (Domain Admin or Account Operator rights)
- Delegated password reset permissions
- Access to a domain-joined machine
For modern Windows environments, PowerShell provides the most reliable approach:
Import-Module ActiveDirectory
Set-ADAccountPassword -Identity user2 -NewPassword (ConvertTo-SecureString -AsPlainText "NewP@ssw0rd123!" -Force) -Reset
Key parameters:
-Identity: The SAM account name (user2)
-NewPassword: Must be a SecureString object
-Reset: Forces immediate password change
For legacy systems without PowerShell modules:
Set objUser = GetObject("LDAP://CN=user2,OU=Users,DC=domain,DC=com")
objUser.SetPassword "NewP@ssw0rd123!"
objUser.AccountDisabled = False
objUser.SetInfo
If you don't have admin rights but have been delegated password reset permissions:
dsquery user -name user2 | dsmod user -pwd NewP@ssw0rd123!
When these methods might fail:
- Password doesn't meet complexity requirements (Solution: Add special characters)
- Account is locked (First unlock with
Unlock-ADAccount) - Insufficient permissions (Contact your domain admin)
- Always generate complex passwords programmatically when possible
- Consider setting the "User must change password at next logon" flag
- Log all password reset operations for security auditing
# Example of setting password and flag together
Set-ADAccountPassword -Identity user2 -NewPassword (ConvertTo-SecureString -AsPlainText "TempP@ss123" -Force) -Reset
Set-ADUser -Identity user2 -ChangePasswordAtLogon $true