Nextcloud local accounts sometimes need a server-side password reset when email recovery is unavailable, the web session is inaccessible, or an administrator is recovering an account after a lockout. The occ user command changes the password directly from the server without sending a reset email.
The account must belong to a backend where Nextcloud can store the password. LDAP, SAML, and other external identities usually need a reset in the identity provider, while Database accounts can be changed with user:resetpassword.
On many Debian and Ubuntu installations, the occ path is /var/www/nextcloud/occ and the HTTP user is www-data. A password reset does not remove disabled status, group membership, quota, or two-factor authentication requirements, so verify the account record and perform one login check after the command succeeds.
Related: How to run Nextcloud occ commands
Related: How to create a Nextcloud user
Steps to reset a Nextcloud user password with occ:
- Check the target Nextcloud account record.
$ sudo -u www-data php /var/www/nextcloud/occ user:info ada - user_id: ada - display_name: ada - enabled: true - groups: - quota: none - storage: ##### snipped ##### - backend: Database
Stop if the account is not the expected user, is disabled for a reason that still needs review, or shows an external identity backend such as LDAP or SAML. Reset those passwords in the identity provider unless the deployment explicitly stores a local password for that account.
- Reset the password interactively.
$ sudo -u www-data php /var/www/nextcloud/occ user:resetpassword ada Enter a new password: Confirm the new password: Successfully reset password for ada
The prompt does not echo the password. For automation, set OC_PASS in a protected environment and add --password-from-env instead of placing the new password directly in shell history.
- Confirm the account record still shows the expected local account state.
$ sudo -u www-data php /var/www/nextcloud/occ user:info ada - user_id: ada - display_name: ada - enabled: true - groups: - quota: none - storage: ##### snipped ##### - backend: Database
- Test a WebDAV login with the new password.
$ curl --silent --show-error --user ada --request PROPFIND --header "Depth: 0" --output /dev/null --write-out "%{http_code}\n" https://cloud.example.com/remote.php/dav/files/ada/ Enter host password for user 'ada': 207HTTP status 207 means the account authenticated and the WebDAV collection answered. Use the browser sign-in page instead when two-factor authentication or a login policy prevents password-only WebDAV authentication.
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.