?
Solved

Set a number of accounts to "change password at next logon"

Posted on 2012-09-09
9
Medium Priority
?
2,295 Views
Last Modified: 2012-09-23
Hi guys, I have quite a number of user accounts I need to force to change their password at next logon. To add to this, not all the accounts are in the same domain. They are however all part of the same forest.

So I need a command that will read through a list of users and set their account to "user must change password at next logon" no matter which domain they are in.
0
Comment
Question by:amaru96
9 Comments
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 38381886
You can select all required user from ADUC and go to properties and in Account tab you can select the User Must Change Password at Next Logon checkbox.

Configuring a Password Change at Next Logon Requirement
http://technet.microsoft.com/en-us/library/ee198797.aspx

User Must Change Password at Next Logon–pwdLastSet–PowerShell Script
http://portal.sivarajan.com/2011/07/user-must-change-password-at-next.html
http://www.techtalkz.com/windows-server-2003/424031-change-password-next-logon-without-resetting-password-using.html
0
 
LVL 1

Author Comment

by:amaru96
ID: 38381908
Guys, I can use the below command to read a list of users and get it to set the "user must change password at next logon", but it only works against users from the domain I run it within. I don't want to have to run this command from every domain!

Import-Csv Users.csv | ForEach-Object {Set-QADUser $_.samAccountName -UserMustChangePassword $true}

How can I get it to do it across the entire forest?
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 38381915
I would create flat text file with user logins for each domain, separately,

i.e.
iSiek
iSiek2
iSiek3

save this on C-Drive on a DC or workstation with Administrative/RSAT Tools and run in command-line

for /f %i in (c:\users.txt) do dsquery user -samid %i | dsmod user -mustchpwd yes -canchpwd yes

Open in new window


repeat that for each domain and user would need to change password at next logon.

Or, if you have user logins separated in text files. You may use try to do that from single computer. But before you will use particular text file, you need to provide distinguished name of a domain in which you want to do that
for /f %i in (c:\users1.txt) do dsquery user "dc=domain1,dc=local" -samid %i | dsmod user -mustchpwd yes -canchpwd yes

Open in new window


Regards,
Krzysztof
0
 
LVL 1

Author Comment

by:amaru96
ID: 38382410
Unless I'm mistaken I would still need to run that command on a DC on every domain? We have 12 child domains which I suppose is doable but far from ideal (what if we had 100?).
0
 
LVL 39

Assisted Solution

by:Krzysztof Pytko
Krzysztof Pytko earned 450 total points
ID: 38382462
So, please follow this second method. But you need to have separate text file for each users in child domains. Then try that

for /f %i in (c:\users1.txt) do dsquery user "dc=domain1,dc=local" -samid %i | dsmod user -mustchpwd yes -canchpwd yes

Open in new window


for one DC

Krzysztof
0
 
LVL 6

Accepted Solution

by:
slidingfox earned 1050 total points
ID: 38393990
For this you'll need the free Quest AD CmdLets. You'll also require a CSV file with two columns. The first column called Domain containing the FQDN (domain.co.uk or west.domain.co.uk), then the second column called UserName.

I've not had chance to test this properly yet. If it doesn't work, let me know and I'll give it a proper test later.

if (-not (Get-PSSnapin Quest.ActiveRoles.ADManagement -EA SilentlyContinue)) {
    Add-PSSnapin Quest.ActiveRoles.ADManagement | Out-Null
}

$users = Import-CSV C:\users.csv

ForEach ($user in $users) {
      
    if (-not ($user.Domain -eq (Get-QADRootDSE).Domain.DnsName)) {
        Connect-QADService $user.Domain
    }
    
    Set-QADUser $user.UserName -UserMustChangePassword $True

}

Open in new window

0
 
LVL 1

Author Comment

by:amaru96
ID: 38397612
Thanks guys, will give it a try as soon as I can. Been pulled away from this for the moment.....
0
 
LVL 1

Author Comment

by:amaru96
ID: 38427570
Looks like it'll be quite some time before I'm in a position to try this out. Appreciate the solutions.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Screencast - Getting to Know the Pipeline

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question