How to force all users to change their Active Directory password at next logon

Posted on Posted in Active Directory, Windows Server

You need to open Active Directory Users and Computers MMC snap-in (DSA.MSC) by selecting Start -> Administrative Tools -> Active Directory Users and Computers, and then locate your desired AD user. Right-click on the account and select Properties. To force the user account to change the password, just tick the “User must change password at next logon” checkbox.


dsquery user | dsmod user -mustchpwd yes

this command force all the users must change their passwords on next logon, CAUTION its include Domain Administrator also.

You can also use “OU” for a group of users to change their password instead of “user”

You can try the below commands if you have a group that contains all the users and no admins and such:

get-adgroup “Group Name” | Get-ADGroupMember -Recursive | set-aduser -ChangePasswordAtLogon $True


get-aduser -Filter * -SearchBase “OU=Users,DC=example,DC=com” | set-aduser -ChangePasswordAtLogon $True

And if you want to see what users will be affected you can run

get-adgroup “Group Name” | Get-ADGroupMember -Recursive | ft name

Force All Active Directory User Accounts to Change their Passwords at Next Logon

Click Start -> All Programs -> Accessories -> Windows PowerShell. Then Right-click Windows PowerShell, and select Run as administrator

By using both Get-ADUser and Set-ADUser commands you can easily force all the domain user accounts in an organizational unit (OU) to change their passwords at next logon.

$ADuser =  Get-ADUser $userID



Set-adaccountpassword $userID -reset -newpassword (ConvertTo-SecureString -AsPlainText $password -Force)

Set-aduser $userID -changepasswordatlogon $true

Leave a Reply

Your email address will not be published. Required fields are marked *