header image

Set User Must Change Password at Next Logon

Posted by: | February 7, 2012 | No Comment |

On the account tab of the AD user properties dialog are a number of tick boxes including:

  • Change password at next logon
  • Cannot change password
  • Password never expires
  • Account is disabled

We have seen how to enable and disable accounts. We will look at working with these settings through the next series of posts starting with one that determines if the user must change their password at next logon.

$ou = "OU=England,DC=Manticore,DC=org"            
$name = "UserA"            
Get-ADUser -Identity $name |            
Set-ADUser -ChangePasswordAtLogon:$true            
"`nAD provider"            
$name = "UserB"            
$dn = "cn=$name,$ou"            
Set-ItemProperty -Path AD:\$dn  -Name pwdLastSet -Value "0" -Force            
$name = "UserC"            
Get-QADUser -Identity $name |            
Set-QADUser -UserMustChangePassword:$true            
$name = "UserD"            
$dn = "cn=$name,$ou"            
$user = [adsi]"LDAP://$dn"            
$user.pwdLastSet = 0            


The cmdlets are nice and straight forward as we have parameter to handle the setting.

In the script and the provider we set the pwdLastSet attribute to 0.  Notice the value has to be given as a string in the provider.

under: PowerShell and Active Directory


  1. URL