“User must change password at next logon” feature in Active Directory
The User must change password at next logon setting can be flagged in a couple of different scenarios in Active Directory, including when a user account password has expired, or when an administrator manually sets the flag on an account.
Below is an example of the “User must change password at next logon” flag set on a user account.
PowerShell can query to see the User must change password at next logon flag. The attribute is configured and set on the pwdlastset placeholder. When this setting is 0, the user must set the password the next time they login.
The output below is found using the following snippet of PowerShell code:
- get-aduser -identity <username> -properties * | select accountexpirationdate, accountexpires, accountlockouttime, badlogoncount, padpwdcount, lastbadpasswordattempt, lastlogondate, lockedout, passwordexpired, passwordlastset, pwdlastset | format-list
Manually setting the User must change password at next logon flag
Typically, an administrator would do this if working with an end-user directly during a password reset. For security reasons, an administrator does not need to know the password of an end-user. To avoid this being the case, an administrator can set a temporary password with this setting.
User must change password at next logon for breached passwords
What if the “User must change password at next logon” could be initiated on a user account in an automated fashion for security purposes? This could be an automated mechanism that could detect a breached password, and set the flag on the user account, requiring the end-user to change their password. Specops Password Policy is a great solution that easily provides this capability. Specops Password Policy has real-time protection against breached passwords. If a user password in your environment is found on the breached password list, the mechanism initiates the password change flag on the user account.
Specops Password Policy is a powerful tool to protect your environment against the threat of breached passwords in the environment.
(Last updated on April 11, 2023)