The option “User must change password at next logon” is usually enabled when creating a new Active Directory user, when the administrator resets the user’s password (when the user forgot his password or the password was compromised).
You can enable the option “User must change password at next logon” using the ADUC console (Active Directory Users and Computers)
- Launch the dsa.msc snap-in;
- Find the domain user and open its properties;
- Go to the Account tab and enable the option “User must change password at next logon” in the Account options section;
- Save the changes by clicking OK.
This option is also enabled by default when you create a new AD user using the ADUC graphical wizard (New > User).
When resetting the user’s password, the domain’s account operator can also enable or disable the password reset option.
You can also enable the option “User must change password at next logon” using PowerShell. To do this, use the Get-ADUser and Set-ADUser cmdlets from the AD PowerShell module. For the username, specify the value of the samAccountName attribute:
Import-Module ActiveDirectory Get-ADUser –identity jsanti | Set-ADUser –ChangePasswordAtLogon $true
You can enable the ChangePasswordAtLogon attribute for all users in the specific OU:
Get-ADUser -Filter * -SearchBase "OU=Users,OU=California.OU=USA,DC=theitbros,DC=com"| Set-ADUser -ChangePasswordAtLogon:$True
When creating new users in AD using the PowerShell New-ADUser cmdlet, you can also enable this attribute (see the example in the article https://theitbros.com/import-users-into-active-directory-from-csv/)
If this option is enabled for the user account, then when the next time user logon to any domain computer or server after entering the password, a notification appears:
The user’s password must be changed before signing in
The user must click OK, and in the next form specify a new password and confirmation.
If the user refuses to change the password, he won’t be able to logon to domain computer with the old password until he changes it.
If you want to reset the AD user password, but in the Reset Password window the option “User must change password at next logon” grayed out, check the following:
- Make sure that the option “Password never expires” is not enabled in the user properties on the Account tab. If enabled, uncheck the option and click OK;
- Make sure that your account has sufficient permissions to reset the password for this user. To do this, in the user properties in the ADUC console, go to the Security > Advanced > Effective Access tab. Click the Select a user button and specify the name of your account (to which the password reset permissions are delegated) and click the View effective access button.
- Make sure that you have ResetPassword and Write userAccountControl (or Write Account Restrictions) permissions.
If your account does not have the above permissions to reset the password, you need to delegate these permission under an account with Domain Admin rights. Right-click on the OU where the user is located and select Delegate Control.
In the Delegation of Control Wizard, specify the user or group to whom you want to delegate permissions and on the next step (Tasks to Delegate) select Reset user passwords and force password change at next logon. Click Next > Finish.
If the permissions didn’t appear even after that, check that inheritance is enabled in the properties of the user to whom you want to enable the password change option. Open the user properties > Security > Advanced button > if the Enable inheritance button is available, click it and OK.