Active Directory Force All Users to Change Passwords on Next Login

DustinB3403

https://gallery.technet.microsoft.com/scriptcenter/Reset-AD-User-Password-and-bcd31566

This script, while piece meal should get you close enough to sort out the bulk change.

Probably has some serious risks doing bulk changes...

DustinB3403

Here is a PS script where you import a csv.

scottalanmiller

Looks like you can search, highlight and select all and right click to do it that way, too.

Dashrender

That script seems odd.. force a change to some common thing now? and then force a change at next logon?
why not just a next logog change, leave current password alone until they next logon?

stacksofplates

Could help you on Linux. Sorry.

Grey

First, this is a Bad Idea(tm). Lots of service accounts may not want to change their accounts and you'll break applications that rely on them. The Administrator (500) account will also have to be reset.
Second, this command should only be used when you feel like a scorched earth method is best. It will piss off everyone in the enterprise.

The PS is two components, joined by a pipe.
get-aduser -filter * | set-aduser -ChangePasswordAtNextLogon $true

ref: https://technet.microsoft.com/en-us/library/ee617195.aspx & https://technet.microsoft.com/en-us/library/dd391883(v=ws.10).aspx

Good luck. I'm not executing that command to verify that it works, but it should. Woe betide the admin that does this in production.

scottalanmiller

@Grey said in Active Directory Force All Users to Change Passwords on Next Login:

Second, this command should only be used when you feel like a scorched earth method is best. It will piss off everyone in the enterprise.

That's where we are, yes.

stacksofplates

@Grey said in Active Directory Force All Users to Change Passwords on Next Login:

First, this is a Bad Idea(tm). Lots of service accounts may not want to change their accounts and you'll break applications that rely on them. The Administrator (500) account will also have to be reset.
Second, this command should only be used when you feel like a scorched earth method is best. It will piss off everyone in the enterprise.

The PS is two components, joined by a pipe.
get-aduser -filter * | set-aduser -ChangePasswordAtNextLogon $true

ref: https://technet.microsoft.com/en-us/library/ee617195.aspx & https://technet.microsoft.com/en-us/library/dd391883(v=ws.10).aspx

Good luck. I'm not executing that command to verify that it works, but it should. Woe betide the admin that does this in production.

I don't know how windows does it, but in RHEL any UID 1000 and above is users only. System accounts are under 1000. I'm guessing it's similar so anything above the system accounts would be fine.

JaredBusch

@Grey said in Active Directory Force All Users to Change Passwords on Next Login:

First, this is a Bad Idea(tm). Lots of service accounts may not want to change their accounts and you'll break applications that rely on them. The Administrator (500) account will also have to be reset.
Second, this command should only be used when you feel like a scorched earth method is best. It will piss off everyone in the enterprise.

The PS is two components, joined by a pipe.
get-aduser -filter * | set-aduser -ChangePasswordAtNextLogon $true

ref: https://technet.microsoft.com/en-us/library/ee617195.aspx & https://technet.microsoft.com/en-us/library/dd391883(v=ws.10).aspx

Good luck. I'm not executing that command to verify that it works, but it should. Woe betide the admin that does this in production.

I would do this but first work on the filter for get-aduser to only pull domain users or something.

coliver

You can always add a -Whatif at the end of your command to see if it will do what you want it to.

DustinB3403

Again this Powershell script would do this, against only the users you supply in the csv.

You'd supply the username as SamAccountName aka "djackson" if that is the users login name.

DustinB3403

This is another approach that will work, its OU based though.

http://www.top-password.com/blog/force-all-ad-user-accounts-to-change-passwords-at-next-logon/

I would recommend using powershell to pull a list of all SamAccountNames in the domain, and remove any service accounts, manually changing those passwords.

Texkonc

@stacksofplates said in Active Directory Force All Users to Change Passwords on Next Login:

Could help you on Linux. Sorry.

What? You mean Linux doesnt work with AD?

Obsolesce

you could add in there something like:

Where-Object {$_.cn -notlike "*Admin*"}

DustinB3403

Here is what I would do.

Run

 Get-ADUser -Filter * | select SAMAccountName | export-csv c:\userlist.csv

To pull a list of all users in the domain, filter out service accounts, as you don't want those changed automatically.

Then run this Password Generator

function New-SWRandomPassword {
	<#
	.Synopsis
	   Generates one or more complex passwords designed to fulfill the requirements for Active Directory
	.DESCRIPTION
	   Generates one or more complex passwords designed to fulfill the requirements for Active Directory
	.EXAMPLE
	   New-SWRandomPassword
	   C&3SX6Kn

	   Will generate four passwords with a length between 8  and 16 chars.
	.EXAMPLE
	   New-SWRandomPassword -MinPasswordLength 8 -MaxPasswordLength 16 -Count 20
	   7d&5cnaB
	   !Bh776T"Fw
	   9"C"RxKcY
	   %mtM7#9LQ9h

	   Will generate four passwords, each with a length of between 8 and 12 chars.
	.EXAMPLE
	   New-SWRandomPassword -InputStrings abc, ABC, 123 -PasswordLength 4
	   3ABa

	   Generates a password with a length of 4 containing atleast one char from each InputString
	.EXAMPLE
	   New-SWRandomPassword -InputStrings abc, ABC, 123 -PasswordLength 4 -FirstChar abcdefghijkmnpqrstuvwxyzABCEFGHJKLMNPQRSTUVWXYZ
	   3ABa

	   Generates a password with a length of 4 containing atleast one char from each InputString that will start with a letter from 
	   the string specified with the parameter FirstChar
	.OUTPUTS
	   [String]
	.NOTES
	   Written by Simon Wåhlin, blog.simonw.se
	   I take no responsibility for any issues caused by this script.
	.FUNCTIONALITY
	   Generates random passwords
	.LINK
	   http://blog.simonw.se/powershell-generating-random-password-for-active-directory/
   
	#>
	#New-SWRandomPassword -MinPasswordLength 8 -MaxPasswordLength 16 -Count 4
	[CmdletBinding(DefaultParameterSetName='FixedLength',ConfirmImpact='None')]
	[OutputType([String])]
	Param
	(
		# Specifies minimum password length
		[Parameter(Mandatory=$false,
				   ParameterSetName='RandomLength')]
		[ValidateScript({$_ -gt 0})]
		[Alias('Min')] 
		[int]$MinPasswordLength = 8,
		
		# Specifies maximum password length
		[Parameter(Mandatory=$false,
				   ParameterSetName='RandomLength')]
		[ValidateScript({
				if($_ -ge $MinPasswordLength){$true}
				else{Throw 'Max value cannot be lesser than min value.'}})]
		[Alias('Max')]
		[int]$MaxPasswordLength = 12,

		# Specifies a fixed password length
		[Parameter(Mandatory=$false,
				   ParameterSetName='FixedLength')]
		[ValidateRange(1,2147483647)]
		[int]$PasswordLength = 8,
		
		# Specifies an array of strings containing charactergroups from which the password will be generated.
		# At least one char from each group (string) will be used.
		[String[]]$InputStrings = @('abcdefghijkmnpqrstuvwxyz', 'ABCEFGHJKLMNPQRSTUVWXYZ', '23456789', '!"#%&'),

		# Specifies a string containing a character group from which the first character in the password will be generated.
		# Useful for systems which requires first char in password to be alphabetic.
		[String] $FirstChar,
		
		# Specifies number of passwords to generate.
		[ValidateRange(1,2147483647)]
		[int]$Count = 1
	)
	Begin {
		Function Get-Seed{
			# Generate a seed for randomization
			$RandomBytes = New-Object -TypeName 'System.Byte[]' 4
			$Random = New-Object -TypeName 'System.Security.Cryptography.RNGCryptoServiceProvider'
			$Random.GetBytes($RandomBytes)
			[BitConverter]::ToUInt32($RandomBytes, 0)
		}
	}
	Process {
		For($iteration = 1;$iteration -le $Count; $iteration++){
			$Password = @{}
			# Create char arrays containing groups of possible chars
			[char[][]]$CharGroups = $InputStrings

			# Create char array containing all chars
			$AllChars = $CharGroups | ForEach-Object {[Char[]]$_}

			# Set password length
			if($PSCmdlet.ParameterSetName -eq 'RandomLength')
			{
				if($MinPasswordLength -eq $MaxPasswordLength) {
					# If password length is set, use set length
					$PasswordLength = $MinPasswordLength
				}
				else {
					# Otherwise randomize password length
					$PasswordLength = ((Get-Seed) % ($MaxPasswordLength + 1 - $MinPasswordLength)) + $MinPasswordLength
				}
			}

			# If FirstChar is defined, randomize first char in password from that string.
			if($PSBoundParameters.ContainsKey('FirstChar')){
				$Password.Add(0,$FirstChar[((Get-Seed) % $FirstChar.Length)])
			}
			# Randomize one char from each group
			Foreach($Group in $CharGroups) {
				if($Password.Count -lt $PasswordLength) {
					$Index = Get-Seed
					While ($Password.ContainsKey($Index)){
						$Index = Get-Seed                        
					}
					$Password.Add($Index,$Group[((Get-Seed) % $Group.Count)])
				}
			}

			# Fill out with chars from $AllChars
			for($i=$Password.Count;$i -lt $PasswordLength;$i++) {
				$Index = Get-Seed
				While ($Password.ContainsKey($Index)){
					$Index = Get-Seed                        
				}
				$Password.Add($Index,$AllChars[((Get-Seed) % $AllChars.Count)])
			}
			Write-Output -InputObject $(-join ($Password.GetEnumerator() | Sort-Object -Property Name | Select-Object -ExpandProperty Value))
		}
	}
}

Specifically New-SWRandomPassword -MinPasswordLength 8 -MaxPasswordLength 16 -Count 20 and change the length, and count to a number the customer is comfortable with.

Copy the list of passwords out, and save them into the csv generated in step 1.

And then run this power shell script to reset the user passwords.

Lastly give the passwords from the CSV to the individual employees so they can select their own password.

dafyre

@Grey said in Active Directory Force All Users to Change Passwords on Next Login:

First, this is a Bad Idea(tm). Lots of service accounts may not want to change their accounts and you'll break applications that rely on them. The Administrator (500) account will also have to be reset.
Second, this command should only be used when you feel like a scorched earth method is best. It will piss off everyone in the enterprise.

The PS is two components, joined by a pipe.
get-aduser -filter * | set-aduser -ChangePasswordAtNextLogon $true

ref: https://technet.microsoft.com/en-us/library/ee617195.aspx & https://technet.microsoft.com/en-us/library/dd391883(v=ws.10).aspx

Good luck. I'm not executing that command to verify that it works, but it should. Woe betide the admin that does this in production.

If you adjust the filter, you can ignore Service accounts and such.

coliver

If your service accounts are in a specific OU (ours are) then you can also just change the scope to the user's OU.

JaredBusch

@DustinB3403 why are you injecting a new password when all that was asked was to force the must change at next login Boolean.

DustinB3403

@JaredBusch Just being lazy and not modifying the powershell that was easily found online.

DustinB3403

@JaredBusch said in Active Directory Force All Users to Change Passwords on Next Login:

@DustinB3403 why are you injecting a new password when all that was asked was to force the must change at next login Boolean.

Plus in a scorched earth approach, is it wise to trust any existing user password? I'd go the entire thing, and make everyone change their password now.

Rather than at next login.