You need to open Active Directory Users and Computers MMC snap-in (DSA.MSC) by selecting Start -> Administrative Tools -> Active Directory Users and Computers, and then locate your desired AD user. Right-click on the account and select Properties. To force the user account to change the password, just tick the “User must change password at next logon” checkbox.
Command:
dsquery user | dsmod user -mustchpwd yes
this command force all the users must change their passwords on next logon, CAUTION its include Domain Administrator also.
You can also use “OU” for a group of users to change their password instead of “user”
You can try the below commands if you have a group that contains all the users and no admins and such:
get-adgroup "Group Name" | Get-ADGroupMember -Recursive | set-aduser -ChangePasswordAtLogon $True
or
get-aduser -Filter * -SearchBase "OU=Users,DC=example,DC=com" | set-aduser -ChangePasswordAtLogon $True
And if you want to see what users will be affected you can run
get-adgroup "Group Name" | Get-ADGroupMember -Recursive | ft name
Force All Active Directory User Accounts to Change their Passwords at Next Logon
Click Start -> All Programs -> Accessories -> Windows PowerShell. Then Right-click Windows PowerShell, and select Run as administrator
By using both Get-ADUser and Set-ADUser commands you can easily force all the domain user accounts in an organizational unit (OU) to change their passwords at next logon.
$ADuser = Get-ADUser $userID
If($ADuser)
{
Set-adaccountpassword $userID -reset -newpassword (ConvertTo-SecureString -AsPlainText $password -Force)
Set-aduser $userID -changepasswordatlogon $true
}