Force Change Password at Next Logon for Active Directory Users

In this article, you will learn how to set or disable the change password at next logon setting for Active Directory user accounts. I’ll show you how to change this setting with PowerShell and the AD Pro Toolkit.

In addition, I’ll show you how to force change password at next logon for multiple user accounts.

Force Change Password at Next logon with PowerShell

In this example, I’ll use the Set-ADUser PowerShell cmdlet to set the password to change at next logon.

Step 1. Open PowerShell.

Step 2. Run the following command. Change <user> to the accounts DN, SID or SAM account name (logon name).

Set-ADUser -Identity <User> -ChangePasswordAtLogon:$true

If the command is successful it will return to the prompt. In the example below I set the change password at next logon for the user carlton.wehr using the accounts samaccountname.

Option #2 Force Change Password at Next Logon for Multiple User Accounts

In this example, I’ll use the AD Pro Toolkit to force a password change at next logon for multiple user accounts.

Step 1: Create a CSV and enter the user accounts that you want to change. You can use the toolkit or PowerShell to export ad users to csv.

The csv needs a sAMAccountName column and the user accounts.

Step 2. Open the Bulk User Modification tool from the toolkit.

Click on Update Options and set the change password at next logon to true or false.

Next, select your csv template and click run.

How to Force Password Change at next logon for All Users

If you had a security incident you may need to require all users to change their password at next logon. Follow the steps below.

Step 1. Create a CSV with a list of users

You can export all users samAccountName with the command below.

get-aduser -filter * | select samaccountname | export-csv c:\it\all-users.csv

Create a list with the toolkit. Click on the export users tool and click run (you can remove all columns except the samAccountName).

Change the sAMaccountName header to ID.

Step 2. Run Bulk User Modification Tool

Under the User Management Tools select “Bulk User Modification”.

Click on Update Options and select “Change password at next logon” and select “True”.

Now select the csv file and click run.

You can use these same steps to set the change password at next logon to false.

Use the steps below to report and verify the change password at next logon has been set.

Find Users That Must Change Password at Next Logon (Report)

You can use the AD Pro Toolkit to run a report on which users have the change password at next logon value set to true.

Click on User Reports -> Password Reports -> Users that must change password at next logon.

Click run to generate the report.

change password at next logon report

You can export this report to csv, excel or pdf.

Change Password At Next Logon Status Report with PowerShell

Although you can use the Set-ADUser cmdlet to set the ChangePasswordAtLogon value there is no PowerShell cmdlet to query this value.

One option is to check the PasswordLastSet value. When an account is set to change password at next logon this attribute is set to 0. The only drawback is this can attribute can also be set to 0 if the account has no password set. This can be useful though as probably don’t want any accounts with a password not set.

Get-ADUser -Properties PasswordLastSet -Filter "PasswordLastSet -eq '0'" | select name, PasswordLastSet

In the screenshot below you can see the PasswordlastSet value is blank.

User must change password at next logon in ADUC

You can manually check a single account with the Active Directory Users and Computers tool.

Open a user account and click the “Account” Tab. Under the account options you will see the “User must change password at next logon” option. If it is checked then it is enabled.

You may also like:

The Ultimate Active Directory Toolkit

Learn More

Leave a Comment