How to Force Users in OU to Change Password at Next Logon via Powershell for Active Directory


My goal is to to force all users in  a certain OU to change their passwords at next login. So let’s get started.

First I need to get a list of my users accounts. We know we can use get-aduser -filter * to get all the users and their properties, however I only want a certain set of users.

A quick get-help shows me I can use -searchbase and the distinguished path to narrow my search down. Now I can add that parameter to my command.

Get-ADUser -SearchBase “OU=test,DC=north,DC=local” -Filter *

Now we’re getting somewhere, I’ve narrowed my search down, let’s pass some things along to the next command via the pipeline. The goal of my next command is is so I can get the accountnames of my search. Since we’re selecting objects and no longer filtering, we need to use select-object.

Get-ADUser -SearchBase “OU=test,DC=north,DC=local” -Filter * | select-object -expandproperty samaccountname

Now the above will get me the accounts of all the ad users under north.local\test.If I don’t use the expandproperty I’ll get objects that are “samaccountname=accountname” when really all I want is “samaccountname”. I’ll use set-aduser to do things, I figured this out by doing get-command *aduser*. This gave me a list of commands that had aduser in it. I can use -changepasswordatlogon $true to force the change I want. The goal of my next pipe is to actually do something with my results! I’m going to use foreach-object because I will be working with more than one account, and I want to do the script block enclosed in { $_  } once per object.

Get-ADUser -SearchBase “OU=test,DC=north,DC=local” -Filter * | select-object -expandproperty samaccountname | foreach-object { set-aduser $_ -ChangePasswordAtLogon $true -passthru}

Finally I’ll add -passthru to my script block to show the output of the script block or else I won’t get the list of accounts that have had changes made to them!


Leave a comment