Retrieve users who have not changed their password since account creation.
Get-ADUser -Filter {PasswordLastSet -eq 0} -Properties SamAccountNameSet the flag for all identified users. This ensures users are prompted to reset their password when they log in.
foreach ($user in (Get-ADUser -Filter {PasswordLastSet -eq 0})) {
Set-ADUser -Identity $user.SamAccountName -ChangePasswordAtLogon $true
}To enforce this setting for a single user, run the script below.
Set-ADUser -Identity "JohnDoe" -ChangePasswordAtLogon $trueTo apply this for an entire group, run the script below.
Get-ADGroupMember -Identity "NewEmployees" | ForEach-Object { Set-ADUser -Identity $_.SamAccountName -ChangePasswordAtLogon $true }To automatically enforce this rule for new users daily, run the script below. This automates the process every morning at 6am.
$script = "Get-ADUser -Filter {PasswordLastSet -eq 0} | ForEach-Object { Set-ADUser -Identity $_.SamAccountName -ChangePasswordAtLogon $true }" $trigger = New-ScheduledTaskTrigger -Daily -At "06:00AM" $action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\ForcePasswordChange.ps1" Register-ScheduledTask -TaskName "ForcePasswordReset" -Trigger $trigger -Action $action -User "Administrator" -Password "adminpassword"Run the script below to force a user to change their password at the next login.
Set-ADUser -Identity username -ChangePasswordAtLogon $trueYes, run the script below to apply this setting in bulk for multiple users.
Get-ADUser -Filter * | Set-ADUser -ChangePasswordAtLogon $trueRun the script below to verify if a user must change their password at the next login.
Get-ADUser -Identity username -Properties ChangePasswordAtLogon
