Enable/Disable User must Change password at next logon Flag using PowerShell

Photo of author
Jatin Makhija
0

In this blog post, we will see how to enable or disable User must change password at next logon flag for a local user account on Windows devices. We will update this flag using a PowerShell script. At the end of the post, we will learn about updating this flag using Intune.

If you enable this setting, it will force the user to change the password at the next logon. If you disable or uncheck this setting, user will not be required to change the password at next logon.

User must Change password at next logon

Disable User must change password at next logon setting manually

Let’s first check where this setting exists and how to change it manually on one of the Windows device.

  • Press the Windows key + R together to open the Run dialog box.
  • Type compmgmt.msc and press Enter to open Computer Management.
  • Go to Local Users and Groups > Users.
  • Double-click on a local user account to check account properties.
  • You can enable/disable User must change password at next logon setting for a user account by using the checkbox next to it.
User must Change password at next logon
User must Change password at next logon setting for a local user account Cloudinfra101

Disable User must change password at next logon using PowerShell

We will now check the method for disabling User must change password at next logon flag for a local user account using PowerShell. There is a PowerShell cmdlet called Set-LocalUser, it can be used to manage other user account properties like –AccountExpires, -AccountNeverExpires, -Password, -PasswordNeverExpires etc. However, this cmdlet does not provide the option to manage User must change password at next logon setting.

In my other blog post, I have provided the steps to Create a local admin account using PowerShell scripts which are deployed using Intune. It utilizes New-LocalUser cmdlet for creating a local user account.

Related

Therefore, to disable this flag, I would use Active Directory Service Interfaces (ADSI) to access objects like the local user account on the device using the WinNT: provider.

  1. Copy the code below. (Replace cloudinfra101 account with the local user account you want to configure).
# Bind to the local user account
$usr = [ADSI]"WinNT://$env:ComputerName/cloudinfra101,user"

# Set the 'PasswordExpired' property to 0 disable "User must Change password at next logon"
$usr.PasswordExpired = 0

# Save the changes
$usr.SetInfo()

# Optionally, display a message indicating the change was made
Write-Host "The password expiration status for user 'cloudinfra101' has been updated."
  1. Save the code as DisableChangePassword.ps1.
  2. Open a PowerShell console as an administrator.
  3. Navigate to the folder where you saved DisableChangePassword.ps1.
  4. Run the script by executing the following command:
.\DisableChangePassword.ps1
  1. Please ensure the cloudinfra101 user account already exists on your device, as this script will not create a local user account.

Enable User must change password at next logon using PowerShell

To enable or check, User must change password at next logon option and force a user to change their password at the next logon, follow these steps:

  1. Copy the code below. (Replace cloudinfra101 account with the local user account you want to configure).
# Bind to the local user account
$usr = [ADSI]"WinNT://$env:ComputerName/cloudinfra101,user"

# Set the 'PasswordExpired' property to 1 to enable "User must Change password at next logon"
$usr.PasswordExpired = 1

# Save the changes
$usr.SetInfo()

# Optionally, display a message indicating the change was made
Write-Host "The password expiration status for user 'cloudinfra101' has been updated."
  1. Save the code as EnableChangePassword.ps1.
  2. Open a PowerShell console as an administrator.
  3. Navigate to the folder where you saved “EnableChangePassword.ps1.”
  4. Run the script by executing the following command:
.\EnableChangePassword.ps1
  1. Please ensure the cloudinfra101 user account already exists on your system, as this script will not create a local user account.

Enable/Disable User must change password at next logon using Intune

If you are managing devices via Intune, you can change this flag on all Intune managed devices using above PowerShell scripts. For more details, refer to below blog post:

Enable/Disable User must Change password at next logon using Intune

Conclusion

In this blog post, we have seen how to Enable/Disable the setting User must change password at next logon for a local user account using PowerShell. This is useful in cases where you have to configure this setting for all the organization devices for a particular local user account.

How to Deploy a Powershell Script using Intune
PowerShell to Test If Registry key and Value exists

Leave a Comment

Comprehensive Step-by-Step Guides: SetUp/Troubleshooting/Configuring Solutions for Intune, Microsoft 365, Windows 365, PowerShell, Windows, Azure, and other Cloud Technologies.

About the author
Contact Us
Privacy Policies
Comment Policies
Cookie Policies

Enter your email address to subscribe to this blog and receive notifications of new posts by email.