In this blog post, we will see how to enable or disable User must change password at next logon flag for a local user account on Windows devices. We will update this flag using a powershell script. At the end of the post, we will learn about updating this flag using Intune.
If you enable this setting, it will force the user to change password at the next logon. If you disable on untick this setting, user is not required to change the password at next logon.
Table of Contents
Disable “User must Change password at next logon” setting manually
Let’s first check where this setting exists and how to change it manually on one of the windows device.
- Press the Windows key + R together to open the Run dialog box.
- Type compmgmt.msc and press Enter to open Computer Management.
- Go to Local Users and Groups > Users.
- Double-click on a local user account to check account properties.
- You can enable/disable User must Change password at next logon setting for a user account by using the checkbox next to it.
Disable “User must Change password at next logon” using Powershell
We will now check the method for disabling User must Change password at next logon flag for a local user account using powershell. There is a powershell cmdlet called Set-LocalUser, it can be used to manage other user account properties like –AccountExpires, -AccountNeverExpires, -Password, -PasswordNeverExpires etc. However, this cmdlet does not provide the option to manage User must Change password at next logon setting.
In my other blog post, I have provided the steps to Create a local admin account using Powershell scripts which are deployed using Intune. It utilizes
RelatedNew-LocalUsercmdlet for creating a local user account.
Therefore, to disable this flag, I would use Active Directory Service Interfaces (ADSI) to access objects like the local user account on the device using the WinNT: provider.
- Copy the code below. (Replace cloudinfra101 account with the local user account you want to configure).
# Bind to the local user account $usr = [ADSI]"WinNT://$env:ComputerName/cloudinfra101,user" # Set the 'PasswordExpired' property to 0 disable "User must Change password at next logon" $usr.PasswordExpired = 0 # Save the changes $usr.SetInfo() # Optionally, display a message indicating the change was made Write-Host "The password expiration status for user 'cloudinfra101' has been updated."
- Save the code as DisableChangePassword.ps1.
- Open a PowerShell console as an administrator.
- Navigate to the folder where you saved DisableChangePassword.ps1.
- Run the script by executing the following command:
.\DisableChangePassword.ps1
- Please ensure the cloudinfra101 user account already exists on your device, as this script will not create a local user account.
Enable “User must Change password at next logon” using Powershell
To enable or check, User must Change password at next logon option and force a user to change their password at the next logon, follow these steps:
- Copy the code below. (Replace cloudinfra101 account with the local user account you want to configure).
# Bind to the local user account $usr = [ADSI]"WinNT://$env:ComputerName/cloudinfra101,user" # Set the 'PasswordExpired' property to 1 to enable "User must Change password at next logon" $usr.PasswordExpired = 1 # Save the changes $usr.SetInfo() # Optionally, display a message indicating the change was made Write-Host "The password expiration status for user 'cloudinfra101' has been updated."
- Save the code as EnableChangePassword.ps1.
- Open a PowerShell console as an administrator.
- Navigate to the folder where you saved “EnableChangePassword.ps1.”
- Run the script by executing the following command:
.\EnableChangePassword.ps1
- Please ensure the cloudinfra101 user account already exists on your system, as this script will not create a local user account.
Enable/Disable “User must Change password at next logon” using Intune
To configure User must Change password at next logon flag on all Intune-managed devices. You can use the powershell scripts provided in the previous sections of this blog post and deploy it via Intune admin center. I have written below blog post which will guide you on updating this flag using intune.
Conclusion
In this blog post, we have seen how to Enable/Disable the setting User must Change password at next logon for a local user account using Powershell. This is useful in cases where you have to configure this setting for all the organization devices for a particular local user account.
