Joe Brown is on the phone. He is locked out of Windows because he has forgotten his password. We could reset his password via Active Directory Users and Computers, but ADUC is very annoyingly clicky.
Of course, it's also possible to unlock Joe Brown's account and reset his password to "33Foo$bars" via NET USER:
net user jbrown 33Foo$bars /domain /active:yes
Unfortunately, the flag requiring him to choose a new password is not set by this command. We, being enlightened administrators, do not want to know any user's permanent password at any time.
Does anyone have an efficient command-line method to unlock/reset and require a password change, using native Windows tools (including PowerShell or VBScript if necessary) but no 3rd-party binaries?
Context: Windows Server 2008 domain.
The binary 'dsmod' (comes with Win7 and Vista, and somewhere along the way XP got them too) should do what you want.
It can do a lot more as well! Very useful tool.
There are a couple of other tools along side that one that are quite useful as well.
dsquery
searches AD from command-line.dsget
pulls attributes from objects.dsadd
allows creating objects (and users!). Definitely worth a look for any scripter.Untested, but I've done stuff like this before with DSMod user
dsquery user -samid username | dsmod.exe user -pwd <Password> -mustchpwd yes -disabled no
/edited - includes the good suggestion to prepend with dsquery to let you look up the samid (login) instead of the UDN.
To reset a user's password and force password change:
This just worked for me on my Win7 box.