How to expire Windows user password without AD ?



  • Wish to have setting to expire windows user account on the fly and without delay, so next login he sees the window to create new pass.

    Also wish to run this via command line so I can push via SaltStack

    I found this:
    NET ACCOUNTS /MAXPWAGE:1

    But it is not what I am looking for, I want something to simply expire whenever it gets executed. SS has module for this but it is not working.

    This works
    WMIC USERACCOUNT WHERE Name='MSFuser' SET PasswordExpires=TRUE
    For setting never expire (FALSE), but does not work for expiring it, cause then it will look for value in Group Policy, and sure I can change this but then that will start timer for 42 days then expires, what I want is expire now.

    I want something like this for windows:
    passwd -e

    -e, --expire Immediately expire an accounts password. This in effect can force a user to change his/her password at the users next login.



  • @emad-r said in How to expire Windows user password without AD ?:

    Wish to have setting to expire windows user account on the fly and without delay, so next login he sees the window to create new pass.

    I pretty sure you can do that through Computer Management. Without some research, I'm not sure if it can be done via Powershell. That being said, I'm sure there must be a registry setting that gets toggled, which forces the password expiration; thus, you could connect to the computer remotely and toggle that setting.



  • For ADUsers
    Set-ADUser -Identity <samAccountName> -ChangePasswordAtLogon $true

    salt 'hostname' cmd.run 'Set-ADUser -Identity <samAccountName> -ChangePasswordAtLogon $true' shell=powershell

    For Local Users
    $user=[ADSI]'WinNT://localhost/account23';
    $user.passwordExpired = 1;
    $user.setinfo()

    https://stackoverflow.com/questions/20705096/how-to-enable-the-user-flag-user-must-change-password-at-next-logon-for-a-loca



  • @black3dynamite That forces a change at logon, but does not immediately expire the exisiting password.

    But, if I was in a position to need to do this, I would set that flag and then force logoff the system anyway.

    Because even if you expire the password, Windows does not care about the already logged in session.