Enable/disable User must Change password at next logon setting using Powershell

Using a Powershell script, you can configure the user to change the password at the next login flag for a local user account. If you enable this setting, it forces a user to change their password when they try to log in to the device next time.

You may want to disable or Uncheck this setting. The User must change the password at the next logon, so it does not force a user to change their password the next time they log in to the device.

This blog post will show you how to manually configure this setting on a local machine and also by using Powershell scripts

User must Change password at next logon
User must Change password at next logon

1. Disable “User must Change password at next logon” setting manually

Use this manual approach to configure this setting if you have a limited number of devices. Let’s check the steps:

  • Press the Windows key + R together to open the Run dialog box.
  • Type compmgmt.msc and press Enter to open Computer Management.
  • Go to Local Users and Groups > Users.
  • Double-click on a local user account to check account properties.
  • You can enable/disable User must Change password at next logon setting for a user account by using the checkbox next to it.
User must Change password at next logon
User must Change password at next logon setting for a local user account Cloudinfra101

2. Disable “User must Change password at next logon” using Powershell

Please note you can use Set-LocalUser cmdlet to configure local user account properties like –AccountExpires, -AccountNeverExpires, -Password, -PasswordNeverExpires, etc. However, no parameter is provided to configure User must Change password at next logon setting.

I have recently created a blog post to provide the steps which creates a local admin account using Powershell scripts which are deployed using Intune. I have used New-LocalUser cmdlet for creating a local user account.

Related

Therefore, to disable this flag, I would use the below Active Directory Service Interfaces (ADSI) to access objects like the local user account on the device using the WinNT: provider.

  1. Copy the code below. (Replace cloudinfra101 account with the local user account you want to configure).
# Bind to the local user account
$usr = [ADSI]"WinNT://$env:ComputerName/cloudinfra101,user"

# Set the 'PasswordExpired' property to 0 disable "User must Change password at next logon"
$usr.PasswordExpired = 0

# Save the changes
$usr.SetInfo()

# Optionally, display a message indicating the change was made
Write-Host "The password expiration status for user 'cloudinfra101' has been updated."
  1. Save the code as DisableChangePassword.ps1.
  2. Open a PowerShell console as an administrator.
  3. Navigate to the folder where you saved DisableChangePassword.ps1.
  4. Run the script by executing the following command:
.\EnableChangePassword.ps1
  1. Please ensure the cloudinfra101 user account exists on your system, as this script will not create a local user account.

3. Enable “User must Change password at next logon” using Powershell

To enable or check, User must Change password at next logon option and force a user to change their password at the next logon, follow these steps:

  1. Copy the code below. (Replace cloudinfra101 account with the local user account you want to configure).
# Bind to the local user account
$usr = [ADSI]"WinNT://$env:ComputerName/cloudinfra101,user"

# Set the 'PasswordExpired' property to 1 to enable "User must Change password at next logon"
$usr.PasswordExpired = 1

# Save the changes
$usr.SetInfo()

# Optionally, display a message indicating the change was made
Write-Host "The password expiration status for user 'cloudinfra101' has been updated."
  1. Save the code as EnableChangePassword.ps1.
  2. Open a PowerShell console as an administrator.
  3. Navigate to the folder where you saved “EnableChangePassword.ps1.”
  4. Run the script by executing the following command:
.\EnableChangePassword.ps1
  1. Please ensure the cloudinfra101 user account exists on your system, as this script will not create a local user account.

Conclusion

In this blog post, we have seen how to Enable/Disable the setting User must Change password at next logon for a local user account using Powershell. This is useful in cases where you have to configure this setting for all the organization devices for a particular local user account in one go.

Leave a Comment