In this article, you will learn how to enable the user must change password at next logon for single and multiple AD User accounts.
In addition, I’ll show you how to force all users to change password at next logon.
In this article:
- Enable User Must Change Password at Next logon with PowerShell
- Easily Force All Users to Change Password at Next Logon
- Get List of Users with Change Password at Next Logon Enabled
- Change Password at Next Logon Status Report with PowerShell
Enable User Must Change Password at Next logon with PowerShell
In this example, I’ll use the Set-ADUser PowerShell cmdlet to set the password to change at next logon.
Step 1. Open PowerShell.
Step 2. Run the following command. Change <user> to the accounts DN, SID or SAM account name (logon name).
Set-ADUser -Identity <User> -ChangePasswordAtLogon:$trueIf the command is successful it will return to the prompt. In the example below I set the change password at next logon for the user carlton.wehr using the accounts samaccountname.
Easily Force All Users to Change Password at Next Logon
In this example, I’ll use the AD Pro Toolkit to force a password change at next logon for multiple user accounts. You might need to force multiple users to change their password due to a security incident or policy requirements.
Step 1. Create a CSV with a list of users
You can export all users samAccountName with the command below. You can also use the export AD users tool to export all users or specific users to a CSV file.
get-aduser -filter * | select samaccountname | export-csv c:\it\all-users.csvYou just need a csv file with a list of users sAMAccountName (logon name) like below.
Step 2. Run Bulk User Modification Tool
Under the User Management Tools select “Bulk Modify Users”.
Click on “Update Options” and select “True” for change password at next logon.
Next, select your csv file and click run.
In the above screenshot, you can see I enabled change password at next logon for 42 user accounts. With the toolkit you can easily enable or disable multiple user account options.
- Enable change password at next logon
- Disable change password at next logon
- User cannot change password
- Password never expires
- Account Status
- Bulk reset passwords
Download AD Pro Toolkit and see how easy it is to manage AD user accounts.
Get List of Users with User Must Change Password at Next Logon Enabled (Report)
The toolkit includes hundreds of Active Directory Reports on users, passwords, logons, groups and much more.
Below is an example of how to get a list of users that have change password at next logon enabled.
Click on Password Reports > Users with change password at next logon
Click run to generate the report.
You can export this report to csv, excel or pdf.
Change Password at Next Logon Status Report with PowerShell
Although you can use the Set-ADUser cmdlet to set the ChangePasswordAtLogon value there is no PowerShell cmdlet to query this value.
One option is to check the PasswordLastSet value. When an account is set to change password at next logon this attribute is set to 0. The only drawback is this can attribute can also be set to 0 if the account has no password set. This can be useful though as probably don’t want any accounts with a password not set.
Get-ADUser -Properties PasswordLastSet -Filter "PasswordLastSet -eq '0'" | select name, PasswordLastSetIn the screenshot below you can see the PasswordlastSet value is blank.
With the AD Pro Toolkit this is not an issue, and you can easily create a list of users that has change password at next logon enabled.
Download AD Pro Toolkit and try these reports for free.
User must change password at next logon in ADUC
You can manually check a single account with the Active Directory Users and Computers tool.
Open a user account and click the “Account” Tab. Under the account options you will see the “User must change password at next logon” option. If it is checked then it is enabled.
You may also like: