This website uses cookies to ensure you get the best experience on our website. Learn more
How to set ‘User must change password at next logon’ flags in Active Directory
The User must change password at next logon setting can be flagged in a couple of different scenarios in Active Directory, including when a user account password has expired, or when an administrator manually sets the flag on an account. This setting is a powerful tool in your IT admin toolkit as it allows you to force users to change their passwords the next time they log in. In this blog, we’ll delve into these questions and provide practical insights into implementing and managing this setting effectively.
Why flag accounts with this setting?
You might want to use the ‘user must change password at next logon’ setting in Active Directory for several reasons:
- Security best practices: It’s a good security practice to regularly change passwords to reduce the risk of unauthorized access. This setting ensures that users change their passwords periodically.
- Initial password reset: When a new user is created, or when a password is reset by an administrator, the user should change the password at the next logon to ensure they are the only one who knows it.
- Compromised passwords: If there’s a suspicion that a password has been compromised, you can force a password change at the next logon to secure the account.
- Compliance requirements: Some industries have regulations that require password changes after a certain period. This setting can help meet those requirements.
- Preventing password sharing: By forcing users to change their passwords, you can help prevent password sharing. If someone shares their password, the other person won’t be able to log in again after the password has been changed.
This setting is a simple way to enhance security and control access to your network.
How to query ‘user must change password at next logon’ with PowerShell
Below is an example of the ‘User must change password at next logon’ flag set on a user account.
PowerShell can query to see the User must change password at next logon flag. The attribute is configured and set on the pwdlastset placeholder. When this setting is 0, the user must set the password the next time they login. Important in this context is also the ForcePasswordChangeOnLogOn feature about which you can read more in out blog post on how to force password changes at next logon in Entra ID.
The output below is found using the following snippet of PowerShell code:
- get-aduser -identity <username> -properties * | select accountexpirationdate, accountexpires, accountlockouttime, badlogoncount, padpwdcount, lastbadpasswordattempt, lastlogondate, lockedout, passwordexpired, passwordlastset, pwdlastset | format-list
Manually setting the ‘User must change password at next logon’ flag
Typically, an administrator would do this if working with an end-user directly during a password reset. For security reasons, an administrator does not need to know the password of an end-user. To avoid this being the case, an administrator can set a temporary password with this setting.
What about breached passwords?
What if the ‘User must change password at next logon‘ could be initiated on a user account in an automated fashion for security purposes? This could be an automated mechanism that could detect a breached password, and set the flag on the user account, requiring the end-user to change their password. Specops Password Policy is a great solution that easily provides this capability. Specops Password Policy continuously scans your Active Directory against our database of over 4 billion unique breached passwords. If a user password in your environment is found on the breached password list, the mechanism initiates the password change flag on the user account.
Interested to see how Specops Password Policy could fit in with your organization? Get in touch and we’ll set you up with a free trial.
(Last updated on December 2, 2024)
Related Articles
-
Is your SSO login protected enough?
Today, many organizations use more systems than ever, spanning on-premises and cloud environments. As a result, employees are tasked with remembering more and more passwords as the number of systems and services continues to grow. Single Sign-On (SSO) is a technology many organizations are leveraging to help ease the pain of using multiple systems. How…
Read More -
How to force password changes at next logon in Entra ID (formerly Azure AD)
Entra ID (formerly Azure AD) is the central component for identity and access management in Microsoft Azure, and by extension, Microsoft 365. Managing users and passwords for organization accounts requires understanding how Entra ID (formerly Azure AD) handles password changes, especially when accounts are synchronized from on-premises Active Directory environments. Forcing users to change their…
Read More -
How to reset passwords & update the local cached credentials for remote users
Need to manage password expirations for remote users? Here’s how you can reset passwords for remote users, and update their locally cached credentials.
Read More