You can change a local account password in Windows using Control Panel, PowerShell, or PDQ tools. This guide shows how to reset local passwords locally and remotely, including at scale.
Changing local account passwords in Windows is super easy — until you realize you need to do it on a thousand-plus computers. While you contemplate handing in your resignation, let me assure you that changing that many local account passwords is easier than you think.
How do I change a local account password with Control Panel?
In Windows 10 and Windows 11, you can change a local account password with Control Panel.
Enter Control Panel into the Windows search bar, then click the Control Panel app result.
In Control Panel, click User Accounts, then click User Accounts again.
Click Manage User Accounts.
Select the account you want to change the password for, then click Reset Password.
Enter the new password for the account, then click OK.
If I only need to change the local account password of the computer I’m currently logged into, this is my go-to method. No fancy terminal, script, or program. Just good ol’ reliable Control Panel. However, if we need to manage this process remotely, especially at scale, we’ll need to use a different approach.
How do I change remote local user account passwords with PowerShell?
In Windows, you can reset local user account passwords remotely with PowerShell. This method works on Windows 10 and Windows 11 and supports bulk password changes.
PowerShell is basically the one-stop shop for all your Windows 10 and Windows 11 administration needs. It’s like the MacGyver of Windows utilities.
Here’s the script we’ll use to modify the local account passwords on remote devices.
$computers = "<computer1>", "<computer2>"
$password = Read-Host 'New password'
ForEach ($computer in $computers) {
$computer
$user = [adsi]"WinNT://$computer/<username>,user";
$user.SetPassword($password);
$user.SetInfo();
}
When you run this PowerShell script, it asks you to enter a new password to use for the targeted local account. Then, the ForEach loop goes through each computer, targets the included username, and changes the password accordingly. To use this script, just ensure that you modify the <computer> and <username> entries to match your environment information. You can also add more devices to the $computers variable. Just make sure each entry is formatted correctly and separated by a comma.
While this is a fairly basic script, it can be modified to meet the needs of most organizations. You can easily change the $computers variable to accept a .txt or .csv file containing a list of computer names, letting you run this script against hundreds or thousands of endpoints.
Easily run PowerShell scripts on remote devices
Need to run your awesome PowerShell scripts on remote devices? PDQ Connect can easily execute PowerShell scripts on any managed device with an active internet connection.
Pretty cool, right? Well, what if I told you there’s an even easier way to manipulate local user account passwords en masse?
How do I change local account passwords remotely with PDQ Inventory?
PDQ Inventory allows you to rapidly send remote commands to targeted devices. Here’s how quick and easy it is to remotely change the local account password of multiple Windows devices in PDQ Inventory.
If you don’t have access to PDQ Inventory but want to follow along with the guide, we’ve got you covered. Download a free trial of PDQ Inventory and follow our getting started guide to get up and running in minutes.
In PDQ Inventory, use the Shift or Ctrl keyboard keys to select the target devices.
Right-click on any of the selected devices, then click Tools > Run Command.
Set the command type to PowerShell or CMD.
For PowerShell, use this command:
Set-LocalUser -Name "<username>" -Password (ConvertTo-SecureString -AsPlainText "<new_password>" -Force)For CMD, use this command:
net user <username> <new_password>When the command has been added, click Execute to run the tool. If the command runs successfully, it returns “The command completed successfully.”
The commands should return a successful prompt within a couple of seconds of execution. Just ensure you modify the <username> and <password> placeholders in the commands to match the username and password you need to manage.
To summarize, select the devices, open the run command window, enter the command, then hit Execute. It literally takes me longer to walk to the fridge and grab a Mountain Dew than it does to change the local password on potentially hundreds of devices.
What are the risks of changing passwords remotely?
Before we clink our Mountain Dews together in celebration, we need to discuss the risks of transmitting credentials to remote devices using remote commands.
The problem with the above remote methods is that the password is transmitted over the network in plaintext, drastically increasing the risk of a threat actor obtaining the local account credentials. While there are methods to encrypt the information, they are beyond the scope of this article. But here are some resources to get you started.
How to encrypt credentials & secure passwords with PowerShell: This article takes you through the process of encrypting and retrieving credentials with PowerShell.
How to manage PowerShell secrets with the SecretsManagement module: This article teaches you how to use the SecretManagement module in PowerShell to secure sensitive data.
While the above resources are great for learning how to secure sensitive information using PowerShell, there’s an even better way to manage Windows local administrator accounts.
What is LAPS for managing local administrator accounts in Windows?
Microsoft LAPS (Local Administrator Password Solution) is free Microsoft Windows feature that automatically manages and rotates local administrator account passwords on Entra- or Active Directory-joined computers.
If you’re looking for the absolute best way to manage local administrator accounts in a Windows environment, then LAPS is your answer. The answer is right there in the name.
LAPS works by randomly generating and regularly rotating local administrator account passwords and storing the information securely in Microsoft Entra ID or Active Directory. You can configure how often the passwords are generated and what users or groups can access the information. It even works seamlessly with PDQ Deploy & Inventory.
If this sounds like the perfect solution for managing your local administrator accounts, that’s because it is. We’ve even got a guide to help you configure LAPS in your environment, which walks you through the entire process.
The coveted art of efficiency
Managing local user accounts manually is tedious, time consuming, and technically outdated. Hopefully, the methods in this article get you started on a path to becoming a more efficient and stress-free sysadmin.
Pro tip: Just because you’ve learned how to be more efficient doesn’t mean you have to tell your boss. I won’t tell if you don’t.
