- Activate BitLocker with manage-bde, PowerShell, or WMI - Wed, Sep 20 2023
- Join Azure Active Directory with Windows 11 - Tue, Sep 12 2023
- Manage enhanced security mode in Microsoft Edge using Group Policy - Fri, Sep 8 2023
There are a number of situations in which it is appropriate for users to change their password. For example, admins or the helpdesk regularly enable this option when resetting an account's password. Users should then not stick with the temporary password. The same applies to newly created accounts, even via import from a CSV file. Another reason is that Active Directory monitoring detects multiple failed login attempts for an account or a successful attack has been detected. In this case you probably want all users to change their password.
Organizations that follow best practices from Microsoft's Security Baseline and no longer use password expiration dates can still use ChangePasswordAtLogon to urge certain users to change passwords when necessary.
Force change of password
In PowerShell, the corresponding attribute can be set as follows:
Set-ADUser -Identy <User> -ChangePasswordAtLogon:$true
For example, if you want to force all users to change their password if they had an invalid login attempt in the past 30 days, you can proceed as follows:
$d = (Get-Date).AddDays(-30)
Get-ADUser -Filter { Enabled -eq $True -and LastBadPasswordAttempt -gt $d} |
Set-ADUser -ChangePasswordAtLogon:$true
In this case, the accounts in question are first determined via Get-ADUser and then passed to Set-ADuser through the pipeline.
Force users to change their password if they have had an invalid login attempt in the last 50 days
Secure accounts without a password
If you want to secure all accounts that didn't need a password until now, you could force them to use a password and enforce the change immediately as follows:
Get-ADUser -Filter {Enabled -eq $true -and PasswordNotRequired -eq $true} |
Set-ADUser -PasswordNotRequired:$false -ChangePasswordAtLogon:$true
Conflict with CannotChangePassword
When setting ChangePasswordAtLogon to $true, keep in mind that this command will fail for obvious reasons if the user is not allowed to change the password or if it never expires.
If the users password never expires then ChangePasswordAtLogon will result in an error
Since querying CannotChangePassword is pretty cumbersome, you can preemptively set this property to $false instead:
Set-ADAccountControl -Identity SMacDonald -CannotChangePassword:$false
Find accounts that need to switch passwords
While Set-ADUser provides a separate parameter for changing this attribute, Get-ADUser does not support ChangePasswordAtLogon to query this status.
One possibility is to verify PasswordLastSet for the value 0:
Get-ADUser -Properties PasswordLastSet -Filter "PasswordLastSet -eq '0'"
This is an indication that ChangePasswordAtLogon is enabled. However, PasswordLastSet can also be zero if no password has yet been set for the account.
Check user accounts for the PasswordLastSet value
Since the password policy in most production environments does not allow users to set an empty password, you can check the PasswordNotRequired property for the value $true because the password policy does not apply to such accounts:
Get-ADUser -Properties PasswordNotRequired,PasswordLastSet `
-Filter {(PasswordLastSet -eq '0') -and (PasswordNotRequired -eq $false)}
Accounts that do not require a password should be dealt with separately anyway, and this "privilege" should be taken away from them if possible.
Conclusion
In various situations, it is recommended to prompt users at the next login to change their password. This can be done relatively easily with PowerShell. For this to take effect, ensure that users are allowed to change their passwords.
Subscribe to 4sysops newsletter!
If you want to generate a report to document the status of ChangePasswordAtLogon, there is no direct way to do this with Get-ADUser. However, querying PasswordLastSet together with PasswordNotRequired provides a reliable indicator in this situation.
