How to Change a User Password Across Domains Using Command Line (net user /domain)


3 views

When administering Active Directory environments with multiple domains, you might encounter situations where standard domain password reset commands fail. The typical command:

net user username * /domain

only works for users in your current domain context. If the target user exists in a trusted domain, you'll need alternative approaches.

Here are several methods to change passwords across domains:

# Method 1: Using fully qualified username (requires trust relationship)
net user username@targetdomain.com * /domain

# Method 2: Using PowerShell (requires AD module)
$cred = Get-Credential
Set-ADAccountPassword -Identity "CN=User,OU=Users,DC=targetdomain,DC=com" -Server "dc.targetdomain.com" -Credential $cred -Reset -NewPassword (ConvertTo-SecureString "NewP@ssw0rd" -AsPlainText -Force)

For a more robust command-line solution (without PowerShell):

:: First authenticate to the target domain
runas /netonly /user:targetdomain\adminaccount "cmd.exe"

:: Then in the new command window:
net user targetuser * /domain:targetdomain

1. Domain trust relationships must be properly configured
2. Your account needs appropriate permissions in the target domain
3. Password policies (complexity, history) of the target domain will apply

If you receive "System error 5 has occurred" (access denied):

  • Verify your account has "Reset Password" permissions in the target domain
  • Check if the domain controllers can communicate (firewall ports, DNS)
  • Try specifying a specific DC: net user username * /domain /server:dcname.targetdomain.com

For more complex environments, consider using LDAP commands or dedicated AD management tools that support multi-domain operations.

When administering multi-domain Windows environments, you'll occasionally need to reset passwords for users in domains where your admin account doesn't have native permissions. The standard net user approach fails because:

  • It defaults to the current domain context
  • Lacks explicit domain targeting parameters
  • Credentials aren't automatically passed across domain trusts

Method 1: RunAs with Explicit Credentials

Execute the command with domain admin privileges from the target domain:

runas /user:targetdomain\adminaccount "net user username newpassword /domain"

Method 2: PowerShell Remoting (Preferred)

For modern environments, PowerShell provides better control:

$cred = Get-Credential targetdomain\adminaccount
Invoke-Command -ComputerName targetDC -Credential $cred -ScriptBlock {
    Set-ADAccountPassword -Identity username -NewPassword (ConvertTo-SecureString "P@ssw0rd123!" -AsPlainText -Force)
}

Method 3: DSMod Alternative

When AD tools are installed:

dsmod user "CN=user,OU=Users,DC=targetdomain,DC=com" -pwd newpassword -c "targetdomain\adminaccount" *
  • Require administrative privileges in the target domain
  • Password policies (complexity, history) still apply
  • Cross-domain trusts must be properly configured
  • For security, consider temporary passwords with forced reset

Common errors and solutions:

Error Solution
System error 5 Run CMD as administrator
Access denied Verify trust relationships and admin rights
No such object Check distinguishedName format