How to force all users to change their Active Directory password at next logon

You need to open Active Directory Users and Computers MMC snap-in (DSA.MSC) by selecting Start -> Administrative Tools -> Active Directory Users and Computers, and then locate your desired AD user. Right-click on the account and select Properties. To force the user account to change the password, just tick the “User must change password at next logon” checkbox.



dsquery user | dsmod user -mustchpwd yes

this command force all the users must change their passwords on next logon, CAUTION its include Domain Administrator also.

You can also use “OU” for a group of users to change their password instead of “user”

You can try the below commands if you have a group that contains all the users and no admins and such:

get-adgroup "Group Name" | Get-ADGroupMember -Recursive | set-aduser -ChangePasswordAtLogon $True


get-aduser -Filter * -SearchBase "OU=Users,DC=example,DC=com" | set-aduser -ChangePasswordAtLogon $True

And if you want to see what users will be affected you can run

get-adgroup "Group Name" | Get-ADGroupMember -Recursive | ft name

Force All Active Directory User Accounts to Change their Passwords at Next Logon

Click Start -> All Programs -> Accessories -> Windows PowerShell. Then Right-click Windows PowerShell, and select Run as administrator

By using both Get-ADUser and Set-ADUser commands you can easily force all the domain user accounts in an organizational unit (OU) to change their passwords at next logon.

$ADuser = Get-ADUser $userID
Set-adaccountpassword $userID -reset -newpassword (ConvertTo-SecureString -AsPlainText $password -Force)
Set-aduser $userID -changepasswordatlogon $true