Admins can prompt users to change their password at their next login. While it is easy to see the status of the corresponding attribute in AD Users and Computers, the procedure with PowerShell is a bit tricky. On the other hand, enforcing a password change with PowerShell is quite simple.

There are a number of situations in which it is appropriate for users to change their password. For example, admins or the helpdesk regularly enable this option when resetting an account's password. Users should then not stick with the temporary password. The same applies to newly created accounts, even via import from a CSV file. Another reason is that Active Directory monitoring detects multiple failed login attempts for an account or a successful attack has been detected. In this case you probably want all users to change their password.

Organizations that follow best practices from Microsoft's Security Baseline and no longer use password expiration dates can still use ChangePasswordAtLogon to urge certain users to change passwords when necessary.

Force change of password ^

In PowerShell, the corresponding attribute can be set as follows:

Set-ADUser -Identy <User> -ChangePasswordAtLogon:$true

For example, if you want to force all users to change their password if they had an invalid login attempt in the past 30 days, you can proceed as follows:

$d = (Get-Date).AddDays(-30)
Get-ADUser -Filter { Enabled -eq $True -and LastBadPasswordAttempt -gt $d} |
Set-ADUser -ChangePasswordAtLogon:$true

In this case, the accounts in question are first determined via Get-ADUser and then passed to Set-ADuser through the pipeline.

Force users to change their password if they have had an invalid login attempt in the last 50 days

Force users to change their password if they have had an invalid login attempt in the last 50 days

Secure accounts without a password ^

If you want to secure all accounts that didn't need a password until now, you could force them to use a password and enforce the change immediately as follows:

Get-ADUser -Filter {Enabled -eq $true -and PasswordNotRequired -eq $true} |
Set-ADUser -PasswordNotRequired:$false -ChangePasswordAtLogon:$true

Conflict with CannotChangePassword ^

When setting ChangePasswordAtLogon to $true, keep in mind that this command will fail for obvious reasons if the user is not allowed to change the password or if it never expires.

If the users password never expires then ChangePasswordAtLogon will result in an error

If the users password never expires then ChangePasswordAtLogon will result in an error

Since querying CannotChangePassword is pretty cumbersome, you can preemptively set this property to $false instead:

Set-ADAccountControl -Identity SMacDonald -CannotChangePassword:$false

Find accounts that need to switch passwords ^

While Set-ADUser provides a separate parameter for changing this attribute, Get-ADUser does not support ChangePasswordAtLogon to query this status.

One possibility is to verify PasswordLastSet for the value 0:

Get-ADUser -Properties PasswordLastSet -Filter "PasswordLastSet -eq '0'"

This is an indication that ChangePasswordAtLogon is enabled. However, PasswordLastSet can also be zero if no password has yet been set for the account.

Check user accounts for the PasswordLastSet value

Check user accounts for the PasswordLastSet value

Since the password policy in most production environments does not allow users to set an empty password, you can check the PasswordNotRequired property for the value $true because the password policy does not apply to such accounts:

Get-ADUser -Properties PasswordNotRequired,PasswordLastSet `
-Filter {(PasswordLastSet -eq '0') -and (PasswordNotRequired -eq $false)}

Accounts that do not require a password should be dealt with separately anyway, and this "privilege" should be taken away from them if possible.

Conclusion ^

In various situations, it is recommended to prompt users at the next login to change their password. This can be done relatively easily with PowerShell. For this to take effect, ensure that users are allowed to change their passwords.

Subscribe to 4sysops newsletter!

If you want to generate a report to document the status of ChangePasswordAtLogon, there is no direct way to do this with Get-ADUser. However, querying PasswordLastSet together with PasswordNotRequired provides a reliable indicator in this situation.

avataravatar
0 Comments

Leave a reply

Your email address will not be published.

*

© 4sysops 2006 - 2022

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account