You can configure “User must Change password at next logon” flag for a local user account using a Powershell script. If you enable this setting, it forces a user to change their password when they try to login on the device next time.
You may want to disable or Uncheck this setting “User must Change password at next logon” so that It does not force a user to change its password, next time they login on the device.
In this blog post, I will show you how to configure this setting on a local machine manually and also by using Powershell scripts.
How to disable User must Change password at next logon setting manually
You can easily disable User must Change password at next logon setting manually on Windows 10 or Windows 11 devices. This approach would work if you have limited number of devices. But when you want to configure this setting on devices in bulk then you can use a powershell script which I have provided in the next section.
To disable User must Change password at next logon for a local user account on Windows. Please follow below steps:
- Press Windows key + R together to open Run dialog box
- Type compmgmt.msc and press Enter to open Computer Management.
- Go to Local Users and Groups > Users
- Double-click on a local user account to check account properties.
- You can configure User must Change password at next logon option for a user account by using the checkbox next to it.
Powershell script to disable User must Change password at next logon
Please note you can use Set-LocalUser cmdlet to configure local user account properties like -AccountExpires, –AccountNeverExpires, -Password, -PasswordNeverExpires etc. However there is no parameter provided to configure “User must Change password at next logon” .
I have recently created a blog post to provide the steps which creates a local admin account using Powershell scripts which are deployed using Intune. I have used
New-LocalUsercmdlet for creating a local user account.
Therefore, to be able to disable this flag, I would be using below Active Directory Service Interfaces (ADSI) to access objects like local user account on the device using WinNT: provider.
Disable/Uncheck User must Change password at next logon using Powershell
Below script will disable / Uncheck the option “User must Change password at next logon“. Therefore, will not force a user to set their password at next logon.
You will need to modify the script and replace cloudinfra101 with a local user account for which you want to configure this setting. cloudinfra101 is the name of local user account on my device.
Copy below piece of code and save it in a file called DisableChangePassword.ps1 and run it from Powershell console opened as administrator. Please note cloudinfra101 user account must exist on your system already. This script will not create a local user account.
DisableChangePassword.ps1
# Bind to the local user account $usr = [ADSI]"WinNT://$env:ComputerName/cloudinfra101,user" # Set the 'PasswordExpired' property to 0 disable "User must Change password at next logon" $usr.PasswordExpired = 0 # Save the changes $usr.SetInfo() # Optionally, display a message indicating the change was made Write-Host "The password expiration status for user 'cloudinfra101' has been updated."
Enable / check User must Change password at next logon using Powershell
Below script will enable / check the option “User must Change password at next logon“. Therefore, will force a user to set their password at next logon.
You will need to modify the script and replace cloudinfra101 with a local user account for which you want to configure this setting. cloudinfra101 is the name of local user account on my device.
Copy below piece of code and save it in a file called EnableChangePassword.ps1 and run it from Powershell console opened as administrator. Please note cloudinfra101 user account must exist on your system already. This script will not create a local user account.
EnableChangePassword.ps1
# Bind to the local user account $usr = [ADSI]"WinNT://$env:ComputerName/cloudinfra101,user" # Set the 'PasswordExpired' property to 1 to enable "User must Change password at next logon" $usr.PasswordExpired = 1 # Save the changes $usr.SetInfo() # Optionally, display a message indicating the change was made Write-Host "The password expiration status for user 'cloudinfra101' has been updated."
Conclusion
In this blog post, we have seen how to Enable / Disable the setting “User must Change password at next logon” for a local user account using Powershell. This is really useful in cases where you have to configure this setting for all the organization devices for a particular local user account in one go.