Viewable by the world

Purpose of Knowledge Article:

  • To guide users to reset expired or forgotten Windows Active Directory Password (AD password)
  • If you are looking for help with a Local User Account on Windows 10. See Local User Account on Windows 10
  • AD account will lock you out for 10 minutes after five incorrect password attempts

Resolution:

Read the entire instruction first.

Update/reset AD Password

Best Practice For Windows System Users to Change AD Password  

  1. You first must check if your computer is domain-joined or standalone. This will determine the best method you will use to update your AD password.

    Check if a Windows System is Domain-joined or Standalone


    If your computer is domain-joined, start at Step 2. Continue to Step 3 only if Step 2 fails.

    If your computer is standalone, start at Step 3.
      

  2. Use Windows built-in password change feature. You must be able to log in to your Windows Computer:

    Requirements:

    		Steps:
    • Able to log in to your Windows computer
    • If you are not connected to the lab network with an ethernet cable or the lbnl-employee WiFi, you must connect to the Lab VPN first
    • You must know your current AD password
    1. Log in to the computer with your AD credential
    2. Click ctrl+alt+del on the keyboard and select Change a Password
    3. Type in your current AD password and pick your new AD password

    space

  3. Connect to the Lab VPN. Go to https://password.lbl.gov/ and select "I would like to change my Windows Active Directory (AD) password".
    • You must know your current AD password.

  4. ONLY use the https://adaccounts.identity.lbl.gov/ if the above steps do not work, the AD password is expired, forgotten or your Windows computer is standalone.

    • Follow the instructions Reset AD Password below and connect to the Lab VPN before starting if you are not on lbnl-employee WiFi or hard-wired to the lab network.

      Reset AD password

      1Go to https://adaccounts.identity.lbl.gov and log in using your Berkeley Lab Identity credential Note: Using Google Chrome in Incognito is recommended

      2Under the Password Expires column, click on Set for the account that you want to reset the password for

      3Create a password that meets the requirement. Make sure to type the same password again in the Repeat password field

      4Click Set Password

      5You will get a message saying "Your account password has been set"

Best Practice for Mac User to change AD Password

  • If you only use a Mac computer, try the following:

    1. Use https://password.lbl.gov/ and select "I would like to change my Windows Active Directory (AD) password"
      1. This method only works if you know your current AD password and has not expired
    2. Use the AD Management tool and follow the Reset AD Password section above
  • If you use a secondary Windows computer or have a Windows VM on your Mac, follow the instructions under Best Practice For Windows System User


Activate AD Account

  • To activate AD account, see Activate AD Account below

    Activate AD Account


    1Go to https://adaccounts.identity.lbl.gov and log in using your Berkeley Lab Identity credential Note: Using Google Chrome in Incognito is recommended

    2Under the Status column, next to the word Inactive, click on the blue Activate link for the account you want to activate

    3

    Create a password that meets the requirement. Make sure to type the same password again in the Repeat password field

    Do not include your name or username in the password. It will give you an error.

    4Click on Activate

    5You will get a message saying "Your account has been activated"

Create AD Service Account

  • Most LBL staff have an AD service account that was created when they were hired. This tool is only used to request additional accounts under limited conditions.
  • If you don't know if you need it, you probably don't.

  • To create an AD Service account, see Create AD Service Account below

    Create a new AD service account


    • Most LBL staff have an AD service account that was created when they were hired. This tool is only used to request additional accounts under limited conditions.
    • If you don't know if you need it, you probably don't.
    1Go to https://adaccounts.identity.lbl.gov and log in using your Berkeley Lab Identity credential. Once logged in, click on "Add a new account" on the bottom left of the page Note: Using Google Chrome in Incognito is recommended

    2

    Select the type of AD account you are creating

    Go here to understand each account type

    3Type in the username you want to use

    4

    Enter the two sponsors for the AD account, one in each field. You can search for the sponsor by using their name or username

    Add the sponsor by typing the first name, last name, or username.

    5Create a new password that meets the requirement. Make sure to type the same password again in the Repeat password field

    6Click Create

    7You will get a message on the top saying "Your account "username" was created"

    For some AD account types, you will need to wait for OU Admin to assign the correct permissions and move the account to the correct OU before the account becomes accessible. Email your OU Admin and provide them with your LBNL AD account and the account you just created so they can help process the request. If you do not know who your OU admin is, email [email protected] with your LBL AD account and the account you just created.



Was this site useful for you? Do you have any feedback or suggestions? Please click here to send your comments about this FAQ to IT.