Force users to change their password at the OU level

Posted on 2010-09-02
Last Modified: 2012-05-10

I am in desperate need of a script to force a group of users in a specific OU to change their password. Also is there a way to do this real time instead of at next log in? I would love to be able to have the users save their work and go through a password change at a specific time of day.

As a note, I do not have any experience with VB.

Thank you in advance

Question by:dwesolowicz
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +1
LVL 57

Accepted Solution

Mike Kline earned 250 total points
ID: 33588751
When you say real time do you mean you want some sort of popup that forces them to do it right then? why would you want to disrupt your users like that ?    You could also  log them off I guess and then have their password set to change at next logon.
What I'd do is set all their accounts to "User must change password at next logon", you can do that using vbscript, adfind/admod, etc.  You can also just highlight all the users in that OU and right click select properties and set that option.

Assisted Solution

dehcbad25 earned 250 total points
ID: 33588786
Do you want it as a Script to run often, or this is a one time deal?
If it is a 1 time, you could select all users and open properties, the place a check in "User must change password at next logon"
Then you could send an email asking them to restart the PC and change passwords.
As for the script, this seems more of something for PowerShell than VB script.
Otherwise you could make a GP that forces a shorted password change and apply it to the OU, but I don't know of a way to request the password without login in.
However, once a password has expired, for new connections it will require the password to be updated (this is for example, Exchange connections (Outlook), shared folders, web applications, etc).
Not sure how often you need to do this, or what would be the purpose, but I am guessing it is a 1 time deal, so it seems easier to request password change from Users and Computers, or set the field user.pwdLastSet to 0 using a powershell command

Author Comment

ID: 33589454
Sorry for the delay and thanks for the reply.

To answer your questions, this is a one time deal. From both responses, I can see that in AD users and computers that you are able select a group of users and force a password change at next log in. This will work fine for what I am trying to do.

Are you aware of a log on/off script that could be used to achieve the same thing. I have no experience with VB.

Thanks again!
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.


Expert Comment

ID: 33589507
It would be possible using VB scrip since you would only need to change the pwdLastSet field
Here is a link
For Windows Vista and up, you will have to use a PowerShell script

Author Comment

ID: 33589640
I just tried to select two users in an OU and selected "User must change password at next logon". I did this while logged in as one of the two users. I then logged off, and logged back on and was not prompted for the password change. I tried a reboot and then was prompted to change the password.

Does the PC have to be rebooted in order to be prompted to change the password?
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33589858
Try this one

run on server or workstation with Administrative Tools installed in command-line

dsquery user "ou=<OUname>,dc=your_fdqn>" -name * -limit 0 >c:\usersOU.txt

i.e OU=MyUsers in testenv.local environment

dsquery user "ou=MyUsers,dc=testenv,dc=local" -name * -limit 0 >c:\usersOU.txt

edit text file and remove unnecessary entries.

create bat or cmd file and save it in the same location with txt file

@echo off

for /f %%i in (usersOU.txt) do dsmod user %%i -mustchpwd yes -canchpwd yes -disabled no

and run it in date you plan to force them password change :) They will receive information that they have to change their password during log on time :) And it of cource affects only users from particular OU. Additionally if you don't want to rememebr when you need to run this batch, you can set up task scheduler on server for proper date to run once.
LVL 57

Expert Comment

by:Mike Kline
ID: 33589889
Did you make the change then immediately log off and log back on.  Were these users local or remote?   (may need to wait for replication depending on the setup)

That flag/setting is right.

Author Comment

ID: 33590031
did the change and immediately logged off and then back on. forced a GP update and that took care of the problem

Expert Comment

ID: 33591237
the machine needs to contact the network to get the new password age, that is why loggin off and then back on would not prompt the password change. However, gpupdate does the connection.
Alternatively, if you try to log on 4 or 5 times with the wrong/blank password (until it takes a while to check the password), it will get the setting for the logon. Until then the PC would log on with cached credentials.

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

622 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question