Tuesday, 24 March 2015

Powershell: Set AD User Must Change Password At Next Logon

We can set AD user property values using powershell cmdlet Set-ADUser. The Set-ADUser cmdlet modifies the properties of an Active Directory user. Normally, you can force an AD user to change password at next logon by setting the AD user's pwdLastSet attribute value as 0, but this Set-ADUser cmdlet supports the extended property ChangePasswordAtLogon, you can directly set True or False value in this property and the cmdlet itself internally update the pwdLastSet attribute.

Powershell command to reset user to change password at next logon:

Set-ADUser -Identity <samAccountName> -ChangePasswordAtLogon $true
The Identity parameter specifies the Active Directory user to modify. You can identify a user by its samAccountName, distinguished name (DN), GUID and SID.

Set Users Specific OU:

You can select AD users from specific OU and set user must change password at next logon by using Get-ADUser and Set-ADUser cmdlets. You can set target OU scope by using the parameter SearchBase in Get-ADUser cmdlet. This following command select and set pwdLastSet attribute value as 0 of the Active Directory users the Organization Unit 'TestOU'.
Import-Module ActiveDirectory
Get-ADUser -Filter * -SearchBase "OU=TestOU,DC=TestDomain,DC=Local" |
  Set-ADUser -ChangePasswordAtLogon:$True

Update Specific set of AD Users with Filter:

You can filter sepecific set of AD users by using SQL like filter with Get-ADUser, users who are not familiar with LDAP filter can easily use this filter to get only specific set of AD users
Import-Module ActiveDirectory
Get-ADUser -Filter 'department -like "*Admin*"' |
  Set-ADUser -ChangePasswordAtLogon:$True
You can also use LDAP filter with Get-ADUser powershell cmdlet with more flexibility to filter Active Directory users.
Import-Module ActiveDirectory
Get-ADUser -LDAPFilter '(Department=*Admin*)' |
  Set-ADUser -ChangePasswordAtLogon:$True

Modify Bulk AD Users Password Never Expire flag from CSV:

You can read Active Directory from csv file using Powershell cmdlet Import-CSV. Consider the CSV file ADUsers.csv (Ex file: Download ADUsers.csv) which contains set of AD users with the attribute samAccountName.

Set Bulk AD Users to Change Password At Next Logon from CSV
Import-Module ActiveDirectory
Import-Csv "C:\Scripts\ADUsers.csv" | ForEach-Object {
 $samAccountName = $_."samAccountName"
Get-ADUser -Identity $samAccountName | 
 Set-ADUser -ChangePasswordAtLogon:$True

Modify specific AD Group Members:

You can set user must change password at next logon for the specific AD group members by getting group members using Get-ADGroupMember cmdlet. The following powershell script select all the members TestGroup group and set the users to change password at next logon.
Import-Module ActiveDirectory
Get-ADGroupMember -Identity "TestGroup" |
  Set-ADUser -ChangePasswordAtLogon:$True



  1. Very nice post. Thank you Sir. !

  2. Excellent post, hats off

  3. is there a way to use -ChangePasswordAtLogon on a local account, not an AD account?

    1. Yes, you can use the native interface ADSI WinNT Provider to set this flag in local account:

      $user.passwordExpired = 1;

      Refer this post : https://www.morgantechspace.com/2019/05/change-local-system-user-account-password-powershell.html