User Must Change Password at Next Logon

“User Must Change Password at Next Logon” Option Not Working/Grayed Out


The option “User must change password at next logon” is usually enabled when creating a new Active Directory user, when the administrator resets the user’s password (when the user forgot his password or the password was compromised).

You can enable the option “User must change password at next logon” using the ADUC console (Active Directory Users and Computers)

  1. Launch the dsa.msc snap-in;
  2. Find the domain user and open its properties;
  3. Go to the Account tab and enable the option “User must change password at next logon” in the Account options section;
  4. Save the changes by clicking OK.

user must change password at next logon

This option is also enabled by default when you create a new AD user using the ADUC graphical wizard (New > User).

user must change password at next logon powershell

When resetting the user’s password, the domain’s account operator can also enable or disable the password reset option.

user must change password at next logon greyed out

You can also enable the option “User must change password at next logon” using PowerShell. To do this, use the Get-ADUser and Set-ADUser cmdlets from the AD PowerShell module. For the username, specify the value of the samAccountName attribute:

Import-Module ActiveDirectory

Get-ADUser –identity jsanti | Set-ADUser –ChangePasswordAtLogon $true

You can enable the ChangePasswordAtLogon attribute for all users in the specific OU:

Get-ADUser -Filter * -SearchBase "OU=Users,OU=California.OU=USA,DC=theitbros,DC=com"| Set-ADUser -ChangePasswordAtLogon:$True

When creating new users in AD using the PowerShell New-ADUser cmdlet, you can also enable this attribute (see the example in the article https://theitbros.com/import-users-into-active-directory-from-csv/)

If this option is enabled for the user account, then when the next time user logon to any domain computer or server after entering the password, a notification appears:

The user’s password must be changed before signing in

powershell set user must change password at next logon

The user must click OK, and in the next form specify a new password and confirmation.

change password at next logon

If the user refuses to change the password, he won’t be able to logon to domain computer with the old password until he changes it.

If you want to reset the AD user password, but in the Reset Password window the option “User must change password at next logon” grayed out, check the following:

change password at next logon powershell

  1. Make sure that the option “Password never expires” is not enabled in the user properties on the Account tab. If enabled, uncheck the option and click OK; active directory user must change password at next logon
  2. Make sure that your account has sufficient permissions to reset the password for this user. To do this, in the user properties in the ADUC console, go to the Security > Advanced > Effective Access tab. Click the Select a user button and specify the name of your account (to which the password reset permissions are delegated) and click the View effective access button.
  3. powershell ad user must change password at next logon
  4. Make sure that you have ResetPassword and Write userAccountControl (or Write Account Restrictions) permissions. powershell set change password at next logon

If your account does not have the above permissions to reset the password, you need to delegate these permission under an account with Domain Admin rights. Right-click on the OU where the user is located and select Delegate Control.

user must change password

In the Delegation of Control Wizard, specify the user or group to whom you want to delegate permissions and on the next step (Tasks to Delegate) select Reset user passwords and force password change at next logon. Click Next > Finish.

powershell set ad user must change password at next logon

If the permissions didn’t appear even after that, check that inheritance is enabled in the properties of the user to whom you want to enable the password change option. Open the user properties > Security > Advanced button > if the Enable inheritance button is available, click it and OK.

must change password at next logon

Add Your Comment