none
Enable the option (User must change Password at next logon) by default while password reset

    질문

  • hi,

    we have requirement that "User must change Password at next logon" option should be enabled by default while reset the password.

    we have Windows 2003 environment both domain & forest function levels are Windows 2003.

    how to enable this feature.


    kesav

    2012년 4월 30일 월요일 오전 11:52

모든 응답

  • Hello,

    if you create the account check the box under the account properties within AD UC or use scripts to check this settings during account creation. So how do you reset passwords?


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    2012년 4월 30일 월요일 오후 12:00
  • This should be a simple attribute set at creation time.  Not sure how you create new users but this is normally an easy process.

    From a scripting point of view an example is below as well.
    http://technet.microsoft.com/en-us/library/ee198797.aspx

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    2012년 4월 30일 월요일 오후 12:03
  • hi,

    we have requirement that "User must change Password at next logon" option should be enabled by default while reset the password.

    we have Windows 2003 environment both domain & forest function levels are Windows 2003.

    how to enable this feature.


    kesav

    I Presume that , when user are trying to reset the password the "User must change password at next logon" should be checked automatically

    If this is the case.By defualt , it will be enabled. No need to doing anything.

    Read this - http://forums.manageengine.com/topic/quot%3Buser-must-change-password-at-next-logon-quot%3B-set-after-password-reset

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    2012년 4월 30일 월요일 오후 12:06
  • Have a look at below KB.

    The "User must change password at next logon" check box is not automatically selected after you modify the "Maximum password age" policy in a Windows Server 2003.http://support.microsoft.com/kb/927054


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    2012년 4월 30일 월요일 오후 12:26
  • Hello,

    When a user tries to reset a password using UI, he can check the option "User must change Password at next logon".

    Another option is to create an internal process where you have to use the following script to reset the users' password:

    for /f %%i in (users.txt) do (

    for /f "Tokens=*" %%l in ('dsquery.exe * -filter "(&(objectCategory=person)(objectClass=user)(samaccountname=%%i))"') do (

    dsmod user %%l  -pwd  Password -mustchpwd yes

    )

    )

    Here, you have just to create a text file named "users.txt" which contains the samaccountname of users you want to reset their passwords. Once done, run the script and you will get what you want.


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.   

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer


    2012년 4월 30일 월요일 오후 12:27
  • You can reset the password in bulk, by selecting the multiple users at one go and set the option "users must change the password at next logon", there is nothing special you require to do.Also, for a individual user Meinolf has already provided the way to go.


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    2012년 4월 30일 월요일 오후 12:36
  • hi Thanks all

    i know, we can select "user must change .....". but we need it should be enabled by default.

    our need is, end user requesting to change the password due to they forgot the password. our admins reset the password and forgot to enable the " user must change password ..." option. this creates a security risk.

    so we need " user must change password at next logon " option should be enabled if even Domain Admins reset the passwords.


    kesav

    2012년 5월 1일 화요일 오전 5:08
  • My suggestion would be instead educating users who are forgetting the password as well as who are resetting the password. This is strange users forget the password and ask for reset the password then you can provide them self service password reset option.The default option "users must change the password at next logon" can't be achieved and it requires some modification/tweaking into the schema/attribute level and which is not going to be simple.

    You can refer few self password link utility or you can buy some 3rd part tools.

    http://www.jijitechnologies.com/jiji-self-service-password-reset.aspx

    http://technet.microsoft.com/en-us/library/cc720655%28v=ws.10%29.aspx

    http://www.lepide.com/active-directory-self-service.html


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    2012년 5월 1일 화요일 오전 5:42
  • thanks Awinish for your reply.

    but we have another domain in test environment. this option is enabled by default. but in production environment it not enabled. 


    kesav

    2012년 5월 1일 화요일 오전 6:16
  • thanks Awinish for your reply.

    but we have another domain in test environment. this option is enabled by default. but in production environment it not enabled. 


    kesav

    RK7L,

    As per my understanding it should be enabled by default. However if you have modified the "Maximum password Age" then this kind of behavior is expected.

     Refer this KB http://support.microsoft.com/kb/927054. It might be helpful for you

    http://gallery.technet.microsoft.com/scriptcenter/7e44bd45-f49f-4e47-ae00-b18f544e478f

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    2012년 5월 1일 화요일 오전 6:24
  • Prashan,

    given URLs doesn't helps me. i need it should be enabled by default for all future password reset.


    kesav

    2012년 5월 1일 화요일 오전 6:43
  • Prashan,

    given URLs doesn't helps me. i need it should be enabled by default for all future password reset.


    kesav

    You should read this,

    When you change the local or domain Maximum password age policy, the User must change password at next logon box is not checked for all users. When you change the Maximum password age in Windows NT 4.0, the User must change password at next logon box was checked for all users that had a password that could expire.

    Refernce - http://www.windowsitpro.com/article/tips/q-if-you-change-the-maximum-password-age-policy-neither-windows-2000-server-nor-windows-server-2003-will-set-the-user-must-change-password-at-next-logon-check-box-

    So , that basically means , If you have defined maximum password age policy , then the check box is not checked.

    You should check what is the "Maximum password age" in your domain.

    I would suggest you to test this in lab environement and see if the Maximum password age is lowered then User must change password at next logon box checks out or not. 

    Or you need to use the script as mentioned in my earlier post.

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    2012년 5월 1일 화요일 오전 7:35
  • Thanks Prashant,

    i have set same password policy as in production environment. but still test environment have enabled the "user must change..." by default.

     


    kesav

    2012년 5월 1일 화요일 오전 7:46
  • Hi,

    PowerShell script can be used update the pwdLastSet (User Must Change Password at Next Logon) value in Active Directory.

    http://portal.sivarajan.com/2011/07/user-must-change-password-at-next.html

    Hope it helps.


    如果您对我们的论坛在线支持服务有任何的意见或建议,请通过邮件告诉我们。
    Description: Description: TechNet 论坛好帮手立刻免费下载  TechNet 论坛好帮手

    2012년 5월 1일 화요일 오전 8:23
  • Hi

    You can set the attribute to the user account properties to change the password at next logon.

    You can also  set the attribute with the multiple user and also set this from login script.

    Please follow the below url.

    

    http://technet.microsoft.com/en-us/library/ee198797.aspx

    Regards

    ajay Sharma

    2012년 5월 1일 화요일 오전 9:20
  • Hi,

    i have the solution / workaround. But i need this should be enabled automatically while only resetting the password


    kesav

    2012년 5월 1일 화요일 오전 9:43
  • There isn't a way to automatically have this attribute set whenever someone changes the password for a user.  If this is a requirement then it will require that you write a front end product that does this for your help desk.

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    • 답변으로 제안됨 Meinolf WeberMVP 2012년 5월 2일 수요일 오전 7:50
    2012년 5월 1일 화요일 오전 11:55
  • As mentioned previously, what is see in the ADUC console is the default UI and to change the default behavior you need to do some coding for performing changes in the schema which is not going to easy.


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    2012년 5월 1일 화요일 오후 2:45
  • My suggestion would be instead educating users who are forgetting the password as well as who are resetting the password. This is strange users forget the password and ask for reset the password then you can provide them self service password reset option.The default option "users must change the password at next logon" can't be achieved and it requires some modification/tweaking into the schema/attribute level and which is not going to be simple.

    You can refer few self password link utility or you can buy some 3rd part tools.

    http://www.jijitechnologies.com/jiji-self-service-password-reset.aspx

    http://technet.microsoft.com/en-us/library/cc720655%28v=ws.10%29.aspx

    http://www.lepide.com/active-directory-self-service.html


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    I have been in this situation. The 3rd party solutions suggested above will not work for that scenario. There is only one 3rd-party self service solution available that securely lets end users outside the domain reset a 'must change on next logon' password themselves, or even an expired permanent password (so they do not need to call the helpdesk for a reset in the first place). "Password Reset PRO" from www.sysoptools.com/password-reset-pro.aspx

    It is typically not a good idea to openly distribute permanent passwords via email or text to remote users. By using the correct 3rd party solution with your Active Directory, you can send users a temporary password and have them self-change that password to a new permanent one themselves. The only public-facing system that will accept the temporary password would be the self service portal. Security preserved, super cool. Hope this helps.

    2012년 5월 3일 목요일 오전 2:03
  • There is a very inexpensive piece of help desk software that has the 'must change on next logon' option enabled by default when resetting a user's password, it is called "Account Manager" and is also made by SysOp Tools - www.sysoptools.com/account-manager-for-active-directory.aspx

    This is a small app that runs on the help desk workstation or terminal server- the help desk technician looks up the user, resets the password, and the 'must change on next logon' is automatically set as the default action.  It also has scripting syntax so it's actions can be called programmatically from another application or batch file / script. Hope this helps

    2012년 5월 3일 목요일 오전 2:08