Powershell: Generating random password for Active Directory

UPDATE 2015-01-04: I’ve updated the script on Technet Gallery: https://gallery.technet.microsoft.com/Generate-a-random-and-5c879ed5
Drastically improved performance and randomization logic.

When provisioning new users to Active Directory we need to provide a new password and of course we want to generate a random password.

This is my thoughts and three methods for generating passwords, the first two quite simple and straightforward and the third method a little bit more complex and definitely the one I recommend.

Method 1

It’s quite easy to pipe a bunch of chars to Get-Random to get a somewhat random password like this:

Using the operator -join will join the array back to a string with an empty string between each element.

The problem with this approach is that we can not guarantee that the password will be accepted by AD as complex enough since it could return a password containing only lowercase letters a-z.

Method 2

Another way would be using the .NET class System.Web.Security.Membership by calling the method GeneratePassword like this:


This method takes two parameters, length and minimum number of non-alphanumeric characters. In the example above it will generate a password with 8 characters containing at least 2 non-alphanumeric characters. This is a bit closer to passing the AD requirements, at least now we can be sure to get chars from at least two types, alpha numeric and non-alphanumeric, but on rare occasions it will not fulfill the requirement of chars from at least three of five categories.

This method will work good enough as long as there is a manual check that the password generated fulfills the requirements of the organization but when automating password generation for example when doing automated provisioning it just isn’t enough so I wrote a PowerShell function to generate random and complex passwords described in Method 3.

Method 3

I wrote a function to generate a number of random passwords that will be complex enough for Active Directory.

The functions can be run in two ways, either using the parameter -PasswordLength to set a fixed password length or using the parameters -MinPasswordLength and -MaxPasswordLength to use a random length.

Both ways takes the parameters -Count and -InputStrings. -Count specifies how many passwords to generate and -InputStrings specifies a list of strings defining which chars to use for password generation. Each generated password will contain atleast one char from each string (as long as PasswordLength => number of strings).

I also use the class System.Security.Cryptography.RNGCryptoServiceProvider to randomize randomization making the password a little more secure.

The parameters have the following default values:
PasswordLength: 8
MinPasswordLength: 8
MaxPasswordLength: 12
Count: 1
InputStrings: @(‘abcdefghijkmnopqrstuvwxyz’, ‘ABCEFGHJKLMNPQRSTUVWXYZ’, ‘23456789’, ‘!”#%&’)

Meaning that just running the command New-SWRandomPassword will generate a new password of a length of 8 characters containing both lowercase, uppercase, numeric and non-alphanumeric characters.

The script is available at the Technet Gallery.

30 thoughts on “Powershell: Generating random password for Active Directory

  1. Well I spoke too soon. I have come back to look at this again, and I cannot get any output from the script at all. Has anybody resolved a similar issue.? Using a simple invocation in an administrative powershell window doesn’t produce any output for me.

    .new-SWRandomPassword -MinPasswordLength 8 -MaxPasswordLength 10 -Count 1

  2. Hi Rick,
    Running the .ps1 file only loads the function. To load it to you current scope it has to be “dot-sourced” like this:
    . .New-SWRandomPassword.ps1

    Then the function is loaded and you can call it like this:
    New-SWRandomPassword -MinPasswordLenght 8 -MaxPasswordLength 10 -Count 1

  3. Experiencing the same thing. When I copied it down it also appeared to have a missing } for the function. After adding the bracket I do not get any output.

    At C:New-SWRandomPassword.ps1:1 char:31
    + function New-SWRandomPassword {
    + ~
    Missing closing ‘}’ in statement block.
    + CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : MissingEndCurlyBrace

  4. Hello Simon, this function is great! Thank you for taking the time to put this together.

    When I run the function I am able to get the randomized strings as expected. However, I am having trouble adding this to a broader script. I continually receive an error that the PW does not meet the AD Complexity requirements.

    $Pwd = New-SWRandomPassword -PasswordLength 10
    Set-ADAccountPassword user1 -Reset -NewPassword (ConvertTo-SecureString -AsPlainText ‘$Pwd’ -Force)

    Should I be going about this in a different manner?


  5. Hello Simon,

    Please disregard, I just needed to change how I was passing it through.

    $RndPwd = New-RandomPassword -PasswordLength 12
    $Pwd = (ConvertTo-SecureString -AsPlainText ‘$RndPwd’ -Force)
    Set-ADAccountPassword gpuser1 -Reset -NewPassword $Pwd

    I will be sure to give you credit for this awesome function!!

    Thanks again!

  6. Great,

    Just what we need to generate bulk of AD samAccountName and Password

    Thanks a lot!

  7. Note the ellipsis (…) at the bottom of the code. There is a section of the script missing.

Leave a Reply

Your email address will not be published. Required fields are marked *