• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2531
  • Last Modified:

Set a number of accounts to "change password at next logon"

Hi guys, I have quite a number of user accounts I need to force to change their password at next logon. To add to this, not all the accounts are in the same domain. They are however all part of the same forest.

So I need a command that will read through a list of users and set their account to "user must change password at next logon" no matter which domain they are in.
0
amaru96
Asked:
amaru96
2 Solutions
 
SandeshdubeySenior Server EngineerCommented:
You can select all required user from ADUC and go to properties and in Account tab you can select the User Must Change Password at Next Logon checkbox.

Configuring a Password Change at Next Logon Requirement
http://technet.microsoft.com/en-us/library/ee198797.aspx

User Must Change Password at Next Logon–pwdLastSet–PowerShell Script
http://portal.sivarajan.com/2011/07/user-must-change-password-at-next.html
http://www.techtalkz.com/windows-server-2003/424031-change-password-next-logon-without-resetting-password-using.html
0
 
amaru96Author Commented:
Guys, I can use the below command to read a list of users and get it to set the "user must change password at next logon", but it only works against users from the domain I run it within. I don't want to have to run this command from every domain!

Import-Csv Users.csv | ForEach-Object {Set-QADUser $_.samAccountName -UserMustChangePassword $true}

How can I get it to do it across the entire forest?
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
Krzysztof PytkoSenior Active Directory EngineerCommented:
I would create flat text file with user logins for each domain, separately,

i.e.
iSiek
iSiek2
iSiek3

save this on C-Drive on a DC or workstation with Administrative/RSAT Tools and run in command-line

for /f %i in (c:\users.txt) do dsquery user -samid %i | dsmod user -mustchpwd yes -canchpwd yes

Open in new window


repeat that for each domain and user would need to change password at next logon.

Or, if you have user logins separated in text files. You may use try to do that from single computer. But before you will use particular text file, you need to provide distinguished name of a domain in which you want to do that
for /f %i in (c:\users1.txt) do dsquery user "dc=domain1,dc=local" -samid %i | dsmod user -mustchpwd yes -canchpwd yes

Open in new window


Regards,
Krzysztof
0
 
amaru96Author Commented:
Unless I'm mistaken I would still need to run that command on a DC on every domain? We have 12 child domains which I suppose is doable but far from ideal (what if we had 100?).
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
So, please follow this second method. But you need to have separate text file for each users in child domains. Then try that

for /f %i in (c:\users1.txt) do dsquery user "dc=domain1,dc=local" -samid %i | dsmod user -mustchpwd yes -canchpwd yes

Open in new window


for one DC

Krzysztof
0
 
slidingfoxCommented:
For this you'll need the free Quest AD CmdLets. You'll also require a CSV file with two columns. The first column called Domain containing the FQDN (domain.co.uk or west.domain.co.uk), then the second column called UserName.

I've not had chance to test this properly yet. If it doesn't work, let me know and I'll give it a proper test later.

if (-not (Get-PSSnapin Quest.ActiveRoles.ADManagement -EA SilentlyContinue)) {
    Add-PSSnapin Quest.ActiveRoles.ADManagement | Out-Null
}

$users = Import-CSV C:\users.csv

ForEach ($user in $users) {
      
    if (-not ($user.Domain -eq (Get-QADRootDSE).Domain.DnsName)) {
        Connect-QADService $user.Domain
    }
    
    Set-QADUser $user.UserName -UserMustChangePassword $True

}

Open in new window

0
 
amaru96Author Commented:
Thanks guys, will give it a try as soon as I can. Been pulled away from this for the moment.....
0
 
amaru96Author Commented:
Looks like it'll be quite some time before I'm in a position to try this out. Appreciate the solutions.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now