Skip Ribbon Commands
Skip to main content

Ondrej Sevecek's English Pages


Engineering and troubleshooting by Directory Master!
MCM: Directory

Quick Launch

Ondrej Sevecek's English Pages > Posts > How to encode unicodePwd attribute with PowerShell
January 29
How to encode unicodePwd attribute with PowerShell

If you want to set user password in Active Directory (AD DS), you can write the new value over LDAP connection with ADSI or use LDP/LDF/LDIFDE import tool and a textual file. You can write the new password into unicodePwd attribute in its UTF16 (Unicode) Base64 encoded form. Domain controller (DC) in turn generates its required hashes (LM?, MD4, Digest MD5, AES SHA-1 etc.).

In all cases you need to encode the password. With powershell, it is just this simple (note that you must also enclose the password into double quotation marks):

$pwd = 'SomeNew-Password5'

# Note: this form will be used by LDIFDE when saved into LDF file
[Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes('"{0}"' -f $pwd))

# Note: this form will be used by LdapConnection if you want to modify the password directly over LDAP
[Text.Encoding]::Unicode.GetBytes('"{0}"' -f $pwd)

Using PowerShell to reset user password directly over LDAP connection

You cannot set unicodePwd attribute using DirectoryEntry (ADSI) because the attribute is a write-only attribute and the ADSI library has some problems with it (unwilling to perform). So we resolve to LdapConnection:

[string] $login = 'domain-admin'
[string] $pwd = 'Pa$$w0rd'
[string] $ou = 'ou=company,dc=gopas,dc=virtual'
[string] $domain = 'gopas.virtual'
[string] $dc = 'dc'

$cred = New-Object System.Net.NetworkCredential $login, $pwd, $domain
$conn = New-Object System.DirectoryServices.Protocols.LdapConnection ('{0}.{1}' -f $dc, $domain)
$conn.SessionOptions.Sealing = $true
$name = 'pc{0:X8}' -f $compID

$rndPwd = 'Pwd-{0:X8}-{1:X8}' -f (Get-Random -Minimum 0 -Maximum ([int]::MaxValue)), (Get-Random -Minimum 0 -Maximum ([int]::MaxValue))

$op = New-Object System.DirectoryServices.Protocols.DirectoryAttributeModification
$op.Name = 'unicodePwd'
[void] $op.Add([Text.Encoding]::Unicode.GetBytes(('"{0}"' -f $rndPwd)))
$op.Operation = [System.DirectoryServices.Protocols.DirectoryAttributeOperation]::Replace

$req = New-Object System.DirectoryServices.Protocols.ModifyRequest('CN=jitka,OU=People,OU=Company,DC=gopas,DC=virtual', $op)
$res = $conn.SendRequest($req)

Using LDP tool to set the unicodePwd

With the GUI tool LDP you have a simpler method. You do not need to encode the attribute first, LDP will do it for you. Just prefix the value with \UNI:


Using LDIFDE to reset and change passwords

With LDIFDE, you can not only reset account passwords, you can also change passwords. Password change is a different operation than password reset from both security and technical point of view. To reset password you only supply the new password without even knowing the current one. Such an operation requires some higher administrative permission level. While any authenticated user can change passwords for any account provided he supplies the current one.

Password reset with LDF file and LDIFDE import command line tool (note that the LDAP connection must be encrypted):

dn: CN=Kamil,OU=People,OU=Company,DC=gopas,DC=virtual
changetype: modify
replace: unicodePwd
unicodePwd: newPasswordBase64EncodedUnicodeEnclosedinQuotations

Password change with LDF file and the LDIFDE tool:

dn: CN=Kamil,OU=People,OU=Company,DC=gopas,DC=virtual
changetype: modify
delete: unicodePwd
unicodePwd: oldPasswordBase64EncodedUnicodeEnclosedinQuotations
add: unicodePwd
unicodePwd: newPasswordBase64EncodedUnicodeEnclosedinQuotations

Other LDP prefixes for SID and GUID

Although not directly related, knowing that the LDP has the \UNI: switch, I used strings tool to find out that there are also other switches available for LDP:

  • \SID: - converts string SID (security identifier) to its binary form
  • \GUID: - converts string GUID to its binary form

So if you want to use a SID or GUID value in LDP tool, you can simply prefix the textual representation with the respective prefix and LDP take care of the rest. This can be useful for example in case of invalidateRidPool operational attribute which requires domain SID for its value.


There are no comments for this post.

Add Comment

Sorry comments are disable due to the constant load of spam *

This simple antispam field seems to work well. Just put here the number.


You do not need to provide any value this column. It will automatically fill with the name of the article itself.

Author *

Body *