“User must change password at next logon” feature in Active Directory

(Last updated on July 28, 2021)

The User must change password at next logon setting can be flagged in a couple of different scenarios in Active Directory, including when a user account password has expired, or when an administrator manually sets the flag on an account. 

Below is an example of the “User must change password at next logon” flag set on a user account.  

User account set to require a password change at the next logon

PowerShell can query to see the User must change password at next logon flag. The attribute is configured and set on the pwdlastset placeholder. When this setting is 0, the user must set the password the next time they login. 

The output below is found using the following snippet of PowerShell code:

  • get-aduser -identity <username> -properties * | select accountexpirationdate, accountexpires, accountlockouttime, badlogoncount, padpwdcount, lastbadpasswordattempt, lastlogondate, lockedout, passwordexpired, passwordlastset, pwdlastset | format-list
The pwdlastset attribute set to 0 forces a password reset

Manually setting the User must change password at next logon flag

Typically, an administrator would do this if working with an end-user directly during a password reset. For security reasons, an administrator does not need to know the password of an end-user. To avoid this being the case, an administrator can set a temporary password with this setting.

User must change password at next logon for breached passwords

What if the “User must change password at next logon” could be initiated on a user account in an automated fashion for security purposes? This could be an automated mechanism that could detect a breached password, and set the flag on the user account, requiring the end-user to change their password. Specops Password Policy is a great solution that easily provides this capability. Specops Password Policy has real-time protection against breached passwords. If a user password in your environment is found on the breached password list, the mechanism initiates the password change flag on the user account.

Specops Password Policy is a powerful tool to protect your environment against the threat of breached passwords in the environment.

Check out Specops Password Policy and download a free trial version.

brandon lee

Written by

Brandon Lee

Brandon Lee has been in the industry 20+ years, is a prolific blogger focusing on networking, virtualization, storage, security & cloud, and contributes to the community through various blog posts and technical documentation primarily at Virtualizationhowto.com.

Back to Blog