Re: Change password at next logon without resetting password or using

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Brian Edwards wrote:

We had to dismiss two admin-level IT employees suddenly. They knew many
end
user passwords at the company. Changing all of the admin passwords is no
problem, it's the end user passwords we're concerned about. Here is what
we
want to accomplish:

- We want to force all users to change their passwords at the very next
logon

We do already employ a GPO that governs Password Policy, and it works
great.
Every 60 days users must change their passwords and the minimum age of a
password is 5 days. Password History remembers 3 passwords, so it's
difficult for them to use the same password over and over.

Now, however, we need everyone to change their passwords relatively
immediately. We've been instructed *NOT* to make this public knowledge by
sending a general email asking everyone to change their passwords, which
would be the easiest method. So, two questions come to mind:

1. If, in Active Directory, we use the "Reset Password" function, can we
leave the password fields blank but select the "User must change password
at
next logon" and have the users' current passwords still work at the next
logon but have them still get prompted to immediately change their
passwords?

2. Is there a way to force password changes *at next logon* using a
temporary GPO, and if so, how do we determine when all of the passwords
have
been changed? There may be some employees who do not login for a week or
more, due to vacations and such.

I've done a little research but haven't found these answers yet, and I'm
pressed for time. I appreciate your assistance.

You want to assign the value 0 (zero) to the pwdLastSet attribute of all
user objects. This expires the password so the user must change it the next
time they logon (if their passwords expire). You can use a script or a
command line utility, like csvde, to do this.

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--


.

Relevant Pages

  • Re: Restricting network Logins
    ... Since you're on a 2003 domain, I'll assume your workstations are either ... Computers has an old left-over from the Windows NT days - "Logon To" on the ... NetBIOS name to the "Logon To..." ... >> simply enable passwords on the user's accounts on each PC. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: extremely odd - Logon User Names are Missing
    ... administrator to log on either - gives exactly the same ... Passwords are correct so that's not the ... >> can't seem to logon. ... >> do from here or what settings to try and change. ...
    (microsoft.public.windowsxp.general)
  • Re: Auto Logon to network
    ... all accounts are stored on the domain controllers, or you will have to go to ... each server and establish accounts whose names and passwords match the names ... > that somewhere setup network to require Users to logon with passwords. ...
    (microsoft.public.win2000.networking)
  • Prompted for Credentials
    ... prompted, enter their passwords, and are allowed access ... Authentication Logon Box to "Automatic logon with current ... into Internet Custom Level settings rather than Local ... >Is this a WSS problem or maybe where their account is ...
    (microsoft.public.sharepoint.windowsservices)
  • Re: Virus, or maybe not
    ... You can get to the standard NT login screen bit hitting "Ctrl + Alt + Del" and logon as ... Dave ... | passwords being accepted, no one can get far enough to get to Control Panel. ... |> administrator. ...
    (microsoft.public.windowsxp.general)