Force users to change their password at the OU level


I am in desperate need of a script to force a group of users in a specific OU to change their password. Also is there a way to do this real time instead of at next log in? I would love to be able to have the users save their work and go through a password change at a specific time of day.

As a note, I do not have any experience with VB.

Thank you in advance

Who is Participating?

Improve company productivity with a Business Account.Sign Up

Mike KlineConnect With a Mentor Commented:
When you say real time do you mean you want some sort of popup that forces them to do it right then? why would you want to disrupt your users like that ?    You could also  log them off I guess and then have their password set to change at next logon.
What I'd do is set all their accounts to "User must change password at next logon", you can do that using vbscript, adfind/admod, etc.  You can also just highlight all the users in that OU and right click select properties and set that option.
dehcbad25Connect With a Mentor Commented:
Do you want it as a Script to run often, or this is a one time deal?
If it is a 1 time, you could select all users and open properties, the place a check in "User must change password at next logon"
Then you could send an email asking them to restart the PC and change passwords.
As for the script, this seems more of something for PowerShell than VB script.
Otherwise you could make a GP that forces a shorted password change and apply it to the OU, but I don't know of a way to request the password without login in.
However, once a password has expired, for new connections it will require the password to be updated (this is for example, Exchange connections (Outlook), shared folders, web applications, etc).
Not sure how often you need to do this, or what would be the purpose, but I am guessing it is a 1 time deal, so it seems easier to request password change from Users and Computers, or set the field user.pwdLastSet to 0 using a powershell command
dwesolowiczAuthor Commented:
Sorry for the delay and thanks for the reply.

To answer your questions, this is a one time deal. From both responses, I can see that in AD users and computers that you are able select a group of users and force a password change at next log in. This will work fine for what I am trying to do.

Are you aware of a log on/off script that could be used to achieve the same thing. I have no experience with VB.

Thanks again!
Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

It would be possible using VB scrip since you would only need to change the pwdLastSet field
Here is a link
For Windows Vista and up, you will have to use a PowerShell script
dwesolowiczAuthor Commented:
I just tried to select two users in an OU and selected "User must change password at next logon". I did this while logged in as one of the two users. I then logged off, and logged back on and was not prompted for the password change. I tried a reboot and then was prompted to change the password.

Does the PC have to be rebooted in order to be prompted to change the password?
Krzysztof PytkoSenior Active Directory EngineerCommented:
Try this one

run on server or workstation with Administrative Tools installed in command-line

dsquery user "ou=<OUname>,dc=your_fdqn>" -name * -limit 0 >c:\usersOU.txt

i.e OU=MyUsers in testenv.local environment

dsquery user "ou=MyUsers,dc=testenv,dc=local" -name * -limit 0 >c:\usersOU.txt

edit text file and remove unnecessary entries.

create bat or cmd file and save it in the same location with txt file

@echo off

for /f %%i in (usersOU.txt) do dsmod user %%i -mustchpwd yes -canchpwd yes -disabled no

and run it in date you plan to force them password change :) They will receive information that they have to change their password during log on time :) And it of cource affects only users from particular OU. Additionally if you don't want to rememebr when you need to run this batch, you can set up task scheduler on server for proper date to run once.
Mike KlineCommented:
Did you make the change then immediately log off and log back on.  Were these users local or remote?   (may need to wait for replication depending on the setup)

That flag/setting is right.
dwesolowiczAuthor Commented:
did the change and immediately logged off and then back on. forced a GP update and that took care of the problem
the machine needs to contact the network to get the new password age, that is why loggin off and then back on would not prompt the password change. However, gpupdate does the connection.
Alternatively, if you try to log on 4 or 5 times with the wrong/blank password (until it takes a while to check the password), it will get the setting for the logon. Until then the PC would log on with cached credentials.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.