Home / server / Questions / 513428
Accepted
Nathan C
Asked: 2013-06-06 06:14:04 +0800 CST

AD reset user passwords for a security group

  • 772

I'm not quite sure if this is possible or not, but I need to force a certain security group's users to have their passwords expire so they'll be forced to change them on next login. The reason for this is because I applied a FGPP (password policy) to this particular group in order to enforce strong passwords. Well, many users have really weak passwords and they won't be changed unless they're forced.

Is there a way to do this without forcing everyone to a single password?

active-directory

3 Answers

  1. Best Answer

    You can do this in Powershell and Set-ADUser. Change the ChangepasswordatLogon flag to True.

    Would look something like this:

    Get-ADuser -Filter {memberof -RecursiveMatch "DN of Security Group"} | Set-ADuser -ChangePasswordatLogon:$true
    • 13

  2. If you prefer vbscript, even though why not use Powershell: A search for "vbscript set AD password to expired" yielded this article: How Can I Cause a User’s Password to Expire?

    I haven't tested it personally. The sample vbscript code is:

    Set objUser = GetObject("LDAP://CN=myerken,OU=Finance,DC=Fabrikam,DC=com")

objUser.pwdLastSet = 0
objUser.SetInfo

    You can combine this with other code to get the list users from the security group (use the security group CN= in the LDAP query) and loop through them applying this password expiration. This is a good example of that found by searching "vbscript getobject security group": Get all users in specific AD group using VbScript

    • 0

  3. Here's a Command Prompt option:

    for /f "delims=" %a in ('dsquery group -name "<INSERT_GROUP_NAME_HERE>" ^| dsget group -members -expand') do (
   dsmod user %a -mustchpwd yes
)
    • 0