Nextcloud local accounts sometimes need a server-side password reset when email recovery is unavailable, the web session is inaccessible, or an administrator is recovering an account after a lockout. The occ user command changes the password directly from the server without sending a reset email.

The account must belong to a backend where Nextcloud can store the password. LDAP, SAML, and other external identities usually need a reset in the identity provider, while Database accounts can be changed with user:resetpassword.

On many Debian and Ubuntu installations, the occ path is /var/www/nextcloud/occ and the HTTP user is www-data. A password reset does not remove disabled status, group membership, quota, or two-factor authentication requirements, so verify the account record and perform one login check after the command succeeds.

Steps to reset a Nextcloud user password with occ:

  1. Check the target Nextcloud account record.
    $ sudo -u www-data php /var/www/nextcloud/occ user:info ada
      - user_id: ada
      - display_name: ada
      - enabled: true
      - groups:
      - quota: none
      - storage:
    ##### snipped #####
      - backend: Database

    Stop if the account is not the expected user, is disabled for a reason that still needs review, or shows an external identity backend such as LDAP or SAML. Reset those passwords in the identity provider unless the deployment explicitly stores a local password for that account.

  2. Reset the password interactively.
    $ sudo -u www-data php /var/www/nextcloud/occ user:resetpassword ada
    Enter a new password:
    Confirm the new password:
    Successfully reset password for ada

    The prompt does not echo the password. For automation, set OC_PASS in a protected environment and add --password-from-env instead of placing the new password directly in shell history.

  3. Confirm the account record still shows the expected local account state.
    $ sudo -u www-data php /var/www/nextcloud/occ user:info ada
      - user_id: ada
      - display_name: ada
      - enabled: true
      - groups:
      - quota: none
      - storage:
    ##### snipped #####
      - backend: Database
  4. Test a WebDAV login with the new password.
    $ curl --silent --show-error --user ada --request PROPFIND --header "Depth: 0" --output /dev/null --write-out "%{http_code}\n" https://cloud.example.com/remote.php/dav/files/ada/
    Enter host password for user 'ada':
    207

    HTTP status 207 means the account authenticated and the WebDAV collection answered. Use the browser sign-in page instead when two-factor authentication or a login policy prevents password-only WebDAV authentication.