Powershell: Set AD User Must Change Password At Next Logon

We can set AD user property values using powershell cmdlet Set-ADUser. The Set-ADUser cmdlet modifies the properties of an Active Directory user. Normally, you can force an AD user to change password at next logon by setting the AD user’s pwdLastSet attribute value as 0, but this Set-ADUser cmdlet supports the extended property ChangePasswordAtLogon, you can directly set True or False value in this property and the cmdlet itself internally update the pwdLastSet attribute.

Powershell command to reset user to change password at next logon:

Set-ADUser -Identity <samAccountName> -ChangePasswordAtLogon $true

The Identity parameter specifies the Active Directory user to modify. You can identify a user by its samAccountName, distinguished name (DN), GUID and SID.

Set Users Specific OU

You can select AD users from specific OU and set user must change password at next logon by using Get-ADUser and Set-ADUser cmdlets. You can set target OU scope by using the parameter SearchBase in Get-ADUser cmdlet. This following command select and set pwdLastSet attribute value as 0 of the Active Directory users the Organization Unit ‘TestOU’.

Import-Module ActiveDirectory
Get-ADUser -Filter * -SearchBase "OU=TestOU,DC=TestDomain,DC=Local" |
  Set-ADUser -ChangePasswordAtLogon:$True

Update Specific set of AD Users with Filter

You can filter sepecific set of AD users by using SQL like filter with Get-ADUser, users who are not familiar with LDAP filter can easily use this filter to get only specific set of AD users

Import-Module ActiveDirectory
Get-ADUser -Filter 'department -like "*Admin*"' |
  Set-ADUser -ChangePasswordAtLogon:$True

You can also use LDAP filter with Get-ADUser powershell cmdlet with more flexibility to filter Active Directory users.

Import-Module ActiveDirectory
Get-ADUser -LDAPFilter '(Department=*Admin*)' |
  Set-ADUser -ChangePasswordAtLogon:$True

Modify Bulk AD Users Password Never Expire flag from CSV

You can read Active Directory from csv file using Powershell cmdlet Import-CSV. Consider the CSV file ADUsers.csv (Ex file: Download ADUsers.csv) which contains set of AD users with the attribute samAccountName.

Set Bulk AD Users to Change Password At Next Logon from CSV

Import-Module ActiveDirectory
Import-Csv "C:\ScriptsADUsers.csv" | ForEach-Object {
 $samAccountName = $_."samAccountName"
Get-ADUser -Identity $samAccountName | 
 Set-ADUser -ChangePasswordAtLogon:$True
}

Modify specific AD Group Members

You can set user must change password at next logon for the specific AD group members by getting group members using Get-ADGroupMember cmdlet. The following powershell script select all the members TestGroup group and set the users to change password at next logon.

Import-Module ActiveDirectory
Get-ADGroupMember -Identity "TestGroup" |
  Set-ADUser -ChangePasswordAtLogon:$True

5 thoughts on “Powershell: Set AD User Must Change Password At Next Logon”

Luiz Arthur

February 22, 2017 at 12:45 pm

Very nice post. Thank you Sir. !
Bill Corrales

January 18, 2018 at 10:33 pm

Outstanding post. Thank you!
Anonymous

June 26, 2018 at 4:16 am

Excellent post, hats off
Anonymous

May 22, 2019 at 6:13 pm

is there a way to use -ChangePasswordAtLogon on a local account, not an AD account?
- Morgan
  
  May 29, 2019 at 5:31 pm
  
  Yes, you can use the native interface ADSI WinNT Provider to set this flag in local account:
  
  $user=[ADSI]'WinNT://localhost/testuser';
  $user.passwordExpired = 1;
  $user.setinfo();
  
  Refer this post : https://www.morgantechspace.com/2019/05/change-local-system-user-account-password-powershell.html

Powershell command to reset user to change password at next logon:

Set Users Specific OU

Update Specific set of AD Users with Filter

Modify Bulk AD Users Password Never Expire flag from CSV

Modify specific AD Group Members

Share this:

Related Posts

5 thoughts on “Powershell: Set AD User Must Change Password At Next Logon”

Leave a Comment Cancel reply