Go Premium for a chance to win a PS4. Enter to Win


Force users to change their password at the OU level

Posted on 2010-09-02
Medium Priority
Last Modified: 2012-05-10

I am in desperate need of a script to force a group of users in a specific OU to change their password. Also is there a way to do this real time instead of at next log in? I would love to be able to have the users save their work and go through a password change at a specific time of day.

As a note, I do not have any experience with VB.

Thank you in advance

Question by:dwesolowicz
  • 3
  • 3
  • 2
  • +1
LVL 57

Accepted Solution

Mike Kline earned 1000 total points
ID: 33588751
When you say real time do you mean you want some sort of popup that forces them to do it right then? why would you want to disrupt your users like that ?    You could also  log them off I guess and then have their password set to change at next logon.
What I'd do is set all their accounts to "User must change password at next logon", you can do that using vbscript, adfind/admod, etc.  You can also just highlight all the users in that OU and right click select properties and set that option.

Assisted Solution

dehcbad25 earned 1000 total points
ID: 33588786
Do you want it as a Script to run often, or this is a one time deal?
If it is a 1 time, you could select all users and open properties, the place a check in "User must change password at next logon"
Then you could send an email asking them to restart the PC and change passwords.
As for the script, this seems more of something for PowerShell than VB script.
Otherwise you could make a GP that forces a shorted password change and apply it to the OU, but I don't know of a way to request the password without login in.
However, once a password has expired, for new connections it will require the password to be updated (this is for example, Exchange connections (Outlook), shared folders, web applications, etc).
Not sure how often you need to do this, or what would be the purpose, but I am guessing it is a 1 time deal, so it seems easier to request password change from Users and Computers, or set the field user.pwdLastSet to 0 using a powershell command


Author Comment

ID: 33589454
Sorry for the delay and thanks for the reply.

To answer your questions, this is a one time deal. From both responses, I can see that in AD users and computers that you are able select a group of users and force a password change at next log in. This will work fine for what I am trying to do.

Are you aware of a log on/off script that could be used to achieve the same thing. I have no experience with VB.

Thanks again!
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.


Expert Comment

ID: 33589507
It would be possible using VB scrip since you would only need to change the pwdLastSet field
Here is a link
For Windows Vista and up, you will have to use a PowerShell script

Author Comment

ID: 33589640
I just tried to select two users in an OU and selected "User must change password at next logon". I did this while logged in as one of the two users. I then logged off, and logged back on and was not prompted for the password change. I tried a reboot and then was prompted to change the password.

Does the PC have to be rebooted in order to be prompted to change the password?
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33589858
Try this one

run on server or workstation with Administrative Tools installed in command-line

dsquery user "ou=<OUname>,dc=your_fdqn>" -name * -limit 0 >c:\usersOU.txt

i.e OU=MyUsers in testenv.local environment

dsquery user "ou=MyUsers,dc=testenv,dc=local" -name * -limit 0 >c:\usersOU.txt

edit text file and remove unnecessary entries.

create bat or cmd file and save it in the same location with txt file

@echo off

for /f %%i in (usersOU.txt) do dsmod user %%i -mustchpwd yes -canchpwd yes -disabled no

and run it in date you plan to force them password change :) They will receive information that they have to change their password during log on time :) And it of cource affects only users from particular OU. Additionally if you don't want to rememebr when you need to run this batch, you can set up task scheduler on server for proper date to run once.
LVL 57

Expert Comment

by:Mike Kline
ID: 33589889
Did you make the change then immediately log off and log back on.  Were these users local or remote?   (may need to wait for replication depending on the setup)

That flag/setting is right.

Author Comment

ID: 33590031
did the change and immediately logged off and then back on. forced a GP update and that took care of the problem

Expert Comment

ID: 33591237
the machine needs to contact the network to get the new password age, that is why loggin off and then back on would not prompt the password change. However, gpupdate does the connection.
Alternatively, if you try to log on 4 or 5 times with the wrong/blank password (until it takes a while to check the password), it will get the setting for the logon. Until then the PC would log on with cached credentials.

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question