Force users to change their password at the OU level

Posted on 2010-09-02
Last Modified: 2012-05-10

I am in desperate need of a script to force a group of users in a specific OU to change their password. Also is there a way to do this real time instead of at next log in? I would love to be able to have the users save their work and go through a password change at a specific time of day.

As a note, I do not have any experience with VB.

Thank you in advance

Question by:dwesolowicz
  • 3
  • 3
  • 2
  • +1
LVL 57

Accepted Solution

Mike Kline earned 250 total points
ID: 33588751
When you say real time do you mean you want some sort of popup that forces them to do it right then? why would you want to disrupt your users like that ?    You could also  log them off I guess and then have their password set to change at next logon.
What I'd do is set all their accounts to "User must change password at next logon", you can do that using vbscript, adfind/admod, etc.  You can also just highlight all the users in that OU and right click select properties and set that option.

Assisted Solution

dehcbad25 earned 250 total points
ID: 33588786
Do you want it as a Script to run often, or this is a one time deal?
If it is a 1 time, you could select all users and open properties, the place a check in "User must change password at next logon"
Then you could send an email asking them to restart the PC and change passwords.
As for the script, this seems more of something for PowerShell than VB script.
Otherwise you could make a GP that forces a shorted password change and apply it to the OU, but I don't know of a way to request the password without login in.
However, once a password has expired, for new connections it will require the password to be updated (this is for example, Exchange connections (Outlook), shared folders, web applications, etc).
Not sure how often you need to do this, or what would be the purpose, but I am guessing it is a 1 time deal, so it seems easier to request password change from Users and Computers, or set the field user.pwdLastSet to 0 using a powershell command

Author Comment

ID: 33589454
Sorry for the delay and thanks for the reply.

To answer your questions, this is a one time deal. From both responses, I can see that in AD users and computers that you are able select a group of users and force a password change at next log in. This will work fine for what I am trying to do.

Are you aware of a log on/off script that could be used to achieve the same thing. I have no experience with VB.

Thanks again!
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.


Expert Comment

ID: 33589507
It would be possible using VB scrip since you would only need to change the pwdLastSet field
Here is a link
For Windows Vista and up, you will have to use a PowerShell script

Author Comment

ID: 33589640
I just tried to select two users in an OU and selected "User must change password at next logon". I did this while logged in as one of the two users. I then logged off, and logged back on and was not prompted for the password change. I tried a reboot and then was prompted to change the password.

Does the PC have to be rebooted in order to be prompted to change the password?
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33589858
Try this one

run on server or workstation with Administrative Tools installed in command-line

dsquery user "ou=<OUname>,dc=your_fdqn>" -name * -limit 0 >c:\usersOU.txt

i.e OU=MyUsers in testenv.local environment

dsquery user "ou=MyUsers,dc=testenv,dc=local" -name * -limit 0 >c:\usersOU.txt

edit text file and remove unnecessary entries.

create bat or cmd file and save it in the same location with txt file

@echo off

for /f %%i in (usersOU.txt) do dsmod user %%i -mustchpwd yes -canchpwd yes -disabled no

and run it in date you plan to force them password change :) They will receive information that they have to change their password during log on time :) And it of cource affects only users from particular OU. Additionally if you don't want to rememebr when you need to run this batch, you can set up task scheduler on server for proper date to run once.
LVL 57

Expert Comment

by:Mike Kline
ID: 33589889
Did you make the change then immediately log off and log back on.  Were these users local or remote?   (may need to wait for replication depending on the setup)

That flag/setting is right.

Author Comment

ID: 33590031
did the change and immediately logged off and then back on. forced a GP update and that took care of the problem

Expert Comment

ID: 33591237
the machine needs to contact the network to get the new password age, that is why loggin off and then back on would not prompt the password change. However, gpupdate does the connection.
Alternatively, if you try to log on 4 or 5 times with the wrong/blank password (until it takes a while to check the password), it will get the setting for the logon. Until then the PC would log on with cached credentials.

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
With User Account Control (UAC) enabled in Windows 7, one needs to open an elevated Command Prompt in order to run scripts under administrative privileges. Although the elevated Command Prompt accomplishes the task, the question How to run as script…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question