Requiring a User to Change His Password at Next Logon

Posted: January 14, 2010 in Active Directory, Networking, Server, System Information
Tags: , ,


Problem

You want to require a user to change his password the next time he logs on to the domain.

Solution

Using a graphical user interface

  1. Open the ADUC snap-in.
  2. In the left pane, right-click on the domain and select Find.
  3. Select the appropriate domain beside In.
  4. Beside Name, type the name of the user you want to modify and click Find Now.
  5. In the Search Results window, double-click on the user.
  6. Click the Account tab.
  7. Under Account options, check the box beside “User must change password at next logon.”
  8. Click OK.

Using a command-line interface

You can configure the “User must change password” using either DSMod or AdMod. To modify this setting using DSMod, use the following syntax:

> dsmod user “<UserDN>” -mustchpwd yes

For AdMod, do the following:

> admod b “<UserDN>” pwdLastSet::0

Using VBScript

‘ This code sets the flag that requires a

user to change their

password

‘ —— SCRIPT CONFIGURATION ——

strUserDN = “<UserDN>” ‘ e.g. cn=rallen,ou=Sales,dc=rallencorp,dc=com

‘ —— END CONFIGURATION ——–

set objUser = GetObject(“LDAP://” & strUserDN)

objUser.Put “pwdLastSet”, 0

objUser.SetInfo

WScript.Echo “User must change password at next logon: ” & strUserDN

Discussion

When a user changes her password, a timestamp is written to the pwdLastSet attribute of the user object. When the user logs in to the domain, this timestamp is compared to the maximum password age that is defined by the Domain Security Policy to determine if the password has expired. To force a user to change her password at next logon, set the pwdLastSet attribute of the target user to zero, and verify that the user’s account doesn’t have the “password never expires” option enabled.

To disable this option so that a user does not have to change her password, set pwdLastSet to -1. These two values (0 and -1) are the only ones that can be set on the pwdLastSet attribute.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s