Related features:

Related Powershell Guides:

Change user password at first logon using PowerShell

The below scripts can force users belonging to specific OUs to change their passwords during their next logon. Often, using PowerShell can be complex and time consuming.

ADSelfService Plus, an Active Directory self-service password management and single sign-on solution, offers an option that, when enabled, forces users to change their password every time they logon after a password reset (self-service or automated password reset).

Here is a comparison between forcing users to change their passwords using PowerShell and ADSelfService Plus:

With PowerShell

Enter the following PowerShell script to force the users belonging to a specific OU to change their passwords during the next logon:

Get-ADUser -Filter * -SearchBase “OU=<specify-OU-name>,DC=<specify-subdomain-name>,DC=<specify-domain-name>,DC=com” | Set-ADUser -CannotChangePassword:$false -PasswordNeverExpires:$false -ChangePasswordAtLogon:$true
With ADSelfService Plus

In ADselfService Plus:

  • Go to Configuration > Policy Configuration.
  • Create a new policy.
  • Once the information required to create the policy is provided, click on Advanced, navigate to the Reset & Unlock tab and select the Upon password reset, force users to change password at next logon checkbox.
  • Click OK and in the Policy Configuration section, click Save.
    Steps to change user password at first logon using ADSelfService Plus

Advantages of ADSelfService Plus:

  • Quick configuration: In ADSelfService Plus, users can be forced to change their passwords during the next logon following a password reset by a few clicks and entering minimal information. In PowerShell, this requires creating, debugging, and running scripts.
  • Forced password changes: Choose who should be forced to change their passwords: When creating an ADSelfService policy, administrators can select the domain, OUs, and groups whose users should be forced to change their password during the next logon following a password reset. Using PowerShell to force specific users to change their passwords will require creating an extensive script
  • Forced password changes: Choose who should be forced to change their passwords: When creating an ADSelfService policy, administrators can select the domain, OUs, and groups whose users should be forced to change their password during the next logon following a password reset. Using PowerShell to force specific users to change their passwords will require creating an extensive script
  • Enforcing strong passwords: ADSelfService Plus' Password Policy Enforcer allows administrators to create and enforce custom password policies that inhibit the creation of weak passwords that are vulnerable to hacks. Again, in ADSelfService Plus, this can be done in a few clicks, unlike PowerShell which involves creating scripts
  • Synchronize AD password with enterprise applications: Using ADSelfService Plus' Password Synchronization feature, any changes made to the users' passwords can be automatically synchronized with their user account in enterprise applications like G Suite and Office 365.

Using PowerShell to change user password at first logon

Step 1: Identify users who need to change their password at first logon

Retrieve users who have not changed their password since account creation.

Get-ADUser -Filter {PasswordLastSet -eq 0} -Properties SamAccountName

Step 2: Force password change at next logon

Set the flag for all identified users. This ensures users are prompted to reset their password when they log in.

foreach ($user in (Get-ADUser -Filter {PasswordLastSet -eq 0})) {
Set-ADUser -Identity $user.SamAccountName -ChangePasswordAtLogon $true
}

Step 3: Apply to a specific user or group

To enforce this setting for a single user, run the script below.

Set-ADUser -Identity "JohnDoe" -ChangePasswordAtLogon $true

To apply this for an entire group, run the script below.

Get-ADGroupMember -Identity "NewEmployees" | ForEach-Object { Set-ADUser -Identity $_.SamAccountName -ChangePasswordAtLogon $true }

Step 4: Automate with a scheduled task

To automatically enforce this rule for new users daily, run the script below. This automates the process every morning at 6am.

$script = "Get-ADUser -Filter {PasswordLastSet -eq 0} | ForEach-Object { Set-ADUser -Identity $_.SamAccountName -ChangePasswordAtLogon $true }" $trigger = New-ScheduledTaskTrigger -Daily -At "06:00AM" $action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\ForcePasswordChange.ps1" Register-ScheduledTask -TaskName "ForcePasswordReset" -Trigger $trigger -Action $action -User "Administrator" -Password "adminpassword"

FAQs

1. How do I force a user to change their password at the next login?

Run the script below to force a user to change their password at the next login.

Set-ADUser -Identity username -ChangePasswordAtLogon $true

2. Can I apply this setting in bulk for multiple users?

Yes, run the script below to apply this setting in bulk for multiple users.

Get-ADUser -Filter * | Set-ADUser -ChangePasswordAtLogon $true

3. How do I verify if a user must change their password at the next login?

Run the script below to verify if a user must change their password at the next login.

Get-ADUser -Identity username -Properties ChangePasswordAtLogon

Force users to change their Active Directory passwords

Try it now for free

ADSelfService Plus trusted by

A single pane of glass for complete self service password management
Password Self-ServiceDirectory Self-ServiceOne IdentitySecurityRelated Products

A single pane of glass for complete self service password management

Free Trial Get Quote
Email Download Link