Force All AD User Accounts to Change Passwords at Next Logon

April 3rd, 2014 by Admin Leave a reply »

How can I force domain user account to change password at the next logon? Simply open Active Directory Users and Computers MMC snap-in (DSA.MSC) by selecting Start -> Administrative Tools -> Active Directory Users and Computers, and locate your desired AD user. Right-click on the account and select Properties. To force the account to change password, just tick the “User must change password at next logon” checkbox.

force-domain-user-to-change-password

Now you might ask: Is there a way of doing this for all users in a single OU? In this post I will show how to use a simple Powershell script to force all AD user accounts to change their password at next logon.

Tips: If you forgot the AD administrator password and get locked out of your domain controller, you can reset the password by booting your server to PCUnlocker Live CD.

How to Force All AD User Accounts to Change Passwords at Next Logon?

Click Start and then navigate to All Programs -> Accessories -> Windows PowerShell. Right-click Windows PowerShell, and select Run as administrator from the context menu.

Using both Get-ADUser and Set-ADUser commands you can force all domain user accounts in a OU to change their passwords at next logon. For this demo I’m using IT OU. The fully qualified domain name of our Windows domain is corp.top-password.com.

active-directory-users

The following command will force all users in the IT department to change password on login.
Get-ADUser -Filter * -SearchBase “OU=IT,DC=corp,DC=top-password,DC=com” | Set-ADUser -ChangePasswordAtLogon:$true

windows-powershell

However, this might cause some AD users to be locked of their computers if the “User Cannot Change Password” attribute is set. To avoid such problem, It’s better to also disable both “User Cannot Change Password” and “Password never expires” attributes.

Get-ADUser -Filter * -SearchBase “OU=IT,DC=corp,DC=top-password,DC=com” | Set-ADUser -CannotChangePassword:$false -PasswordNeverExpires:$false -ChangePasswordAtLogon:$true

After executing the PowerShell command and all your users will be forced to change their own password on their next restart. If you don’t allow the AD users to set a blank password, you can then set up a group policy for your own purpose, by following the steps described in our previous post: How to Change Active Directory Password Policy in Windows Server 2008.