In this article, you will learn how to set or disable the change password at next logon setting for Active Directory user accounts. I’ll show you how to change this setting with PowerShell and the AD Pro Toolkit.
In addition, I’ll show you how to force change password at next logon for multiple user accounts.
Force Change Password at Next logon with PowerShell
In this example, I’ll use the Set-ADUser PowerShell cmdlet to set the password to change at next logon.
Step 1. Open PowerShell.
Step 2. Run the following command. Change <user> to the accounts DN, SID or SAM account name (logon name).
Set-ADUser -Identity <User> -ChangePasswordAtLogon:$true
If the command is successful it will return to the prompt. In the example below I set the change password at next logon for the user carlton.wehr using the accounts samaccountname.
Option #2 Force Change Password at Next Logon for Multiple User Accounts
In this example, I’ll use the AD Pro Toolkit to force a password change at next logon for multiple user accounts.
Step 1: Create a CSV and enter the user accounts that you want to change. You can use the toolkit or PowerShell to export ad users to csv.
The csv needs a sAMAccountName column and the user accounts.
Step 2. Open the Bulk User Modification tool from the toolkit.
Click on Update Options and set the change password at next logon to true or false.
Next, select your csv template and click run.
How to Force Password Change at next logon for All Users
If you had a security incident you may need to require all users to change their password at next logon. Follow the steps below.
Step 1. Create a CSV with a list of users
You can export all users samAccountName with the command below.
get-aduser -filter * | select samaccountname | export-csv c:\it\all-users.csv
Create a list with the toolkit. Click on the export users tool and click run (you can remove all columns except the samAccountName).
Change the sAMaccountName header to ID.
Step 2. Run Bulk User Modification Tool
Under the User Management Tools select “Bulk User Modification”.
Click on Update Options and select “Change password at next logon” and select “True”.
Now select the csv file and click run.
You can use these same steps to set the change password at next logon to false.
Use the steps below to report and verify the change password at next logon has been set.
Find Users That Must Change Password at Next Logon (Report)
You can use the AD Pro Toolkit to run a report on which users have the change password at next logon value set to true.
Click on User Reports -> Password Reports -> Users that must change password at next logon.
Click run to generate the report.
You can export this report to csv, excel or pdf.
Change Password At Next Logon Status Report with PowerShell
Although you can use the Set-ADUser cmdlet to set the ChangePasswordAtLogon value there is no PowerShell cmdlet to query this value.
One option is to check the PasswordLastSet value. When an account is set to change password at next logon this attribute is set to 0. The only drawback is this can attribute can also be set to 0 if the account has no password set. This can be useful though as probably don’t want any accounts with a password not set.
Get-ADUser -Properties PasswordLastSet -Filter "PasswordLastSet -eq '0'" | select name, PasswordLastSet
In the screenshot below you can see the PasswordlastSet value is blank.
User must change password at next logon in ADUC
You can manually check a single account with the Active Directory Users and Computers tool.
Open a user account and click the “Account” Tab. Under the account options you will see the “User must change password at next logon” option. If it is checked then it is enabled.
You may also like: