Pricing  Get Quote

Change user password at first logon using PowerShell

The below scripts can force users belonging to specific OUs to change their passwords during their next logon. Often, using PowerShell can be complex and time consuming.

ADSelfService Plus, an Active Directory self-service password management and single sign-on solution, offers an option that, when enabled, forces users to change their password every time they logon after a password reset (self-service or automated password reset).

Here is a comparison between forcing users to change their passwords using PowerShell and ADSelfService Plus:


Enter the following PowerShell script to force the users belonging to a specific OU to change their passwords during the next logon:
Get-ADUser -Filter * -SearchBase “OU=<specify-OU-name>,DC=<specify-subdomain-name>,DC=<specify-domain-name>,DC=com” | Set-ADUser -CannotChangePassword:$false -PasswordNeverExpires:$false -ChangePasswordAtLogon:$true
Click to copy entire script

ADSelfService Plus

In ADselfService Plus:
  • Go to Configuration > Policy Configuration.
  • Create a new policy.
  • Once the information required to create the policy is provided, click on Advanced, navigate to the Reset & Unlock tab and select the Upon password reset, force users to change password at next logon checkbox.
  • Click OK and in the Policy Configuration section, click Save.
Change user password at first logon using PowerShell
Advantages of ADSelfService Plus:
  • Quick configuration:

    In ADSelfService Plus, users can be forced to change their passwords during the next logon following a password reset by a few clicks and entering minimal information. In PowerShell, this requires creating, debugging, and running scripts.

  • Forced password changes:

    Choose who should be forced to change their passwords: When creating an ADSelfService policy, administrators can select the domain, OUs, and groups whose users should be forced to change their password during the next logon following a password reset. Using PowerShell to force specific users to change their passwords will require creating an extensive script

  • Data management:

    ADSelfService Plus does not store the user's credentials anywhere, unlike the above PowerShell script which requires storing the user's credentials in the script.

  • Enforcing strong passwords:

    ADSelfService Plus' Password Policy Enforcer allows administrators to create and enforce custom password policies that inhibit the creation of weak passwords that are vulnerable to hacks. Again, in ADSelfService Plus, this can be done in a few clicks, unlike PowerShell which involves creating scripts

  • Synchronize AD password with enterprise applications:

    Using ADSelfService Plus' Password Synchronization feature, any changes made to the users' passwords can be automatically synchronized with their user account in enterprise applications like G Suite and Office 365.

Force users to change their Active Directory passwords

  Get 30-day free trial.

Related Resources

ADSelfService Plus trusted by

A single pane of glass for complete self service password management
Email Download Link