User Creation script is not enabling "Change Password At Next Logon" RRS feed

  • Question

  • I am using a PowerShell script I created to create user accounts with set permissions but for some reason it will not enable "change password at next logon".

    Here is a snip of my code: New-ADUser -Name $dn -AccountPassword $password -ChangePasswordAtLogon 1

    I even tried $true instead of the 1 but nothing works. I do not have any options set for "Does not expire". Any ideas on what I could be doing wrong?

    Thursday, July 9, 2015 4:26 PM


  • New-ADUser -Name $dn -AccountPassword $password -ChangePasswordAtLogon $true -PasswordNeverExpires $false
    Can you try that?
    Thursday, July 9, 2015 4:49 PM

All replies

  • Thanks Slava. It appears something in my script is breaking because I added -PasswordNeverExpires $false to my script, still didn't work.

    So I tried just a basic command New-ADUser -Name "Test User" -AccountPassword $password -ChangePasswordAtLogon $true -PasswordNeverExpires $false

    That actually worked. I will have to find out why and where it fails to apply -ChangePasswordAtLogon $true in my script.

    Thursday, July 9, 2015 6:29 PM
  • Here is basically what my script

    #This Script Prompts and Creates User Accounts for Specific Departments. 
    #Please NOTE that some Departments will prompt for Security Group entries because they may vary per Job Title in targeted Department
    #requires -version 2.0
    #Sales function is the Template for our Direct Sales new hires
    Function Account_Executive{
    #User Profile Attributes
    $title = "Title"
    $dept = "Sales"
    $co = "Company LLC"
    New-ADUser -Name $dn -AccountPassword $password -ChangePasswordAtLogon $true -PasswordNeverExpires $false -Title $title -Department $dept -DisplayName $dn -samAccountName $UserID -UserPrincipalName $ -EmailAddress $ -GivenName $fn -Surname $ln -Manager $Manager -Mobile $mobile -Path “OU=Location,OU=Users,DC=Domain,DC=COM
    #Pause the Script for the account to show up in AD
    start-sleep -s 20
    #Automatically sets the Title, Department, and Company name into user profile
    $Hashtable = new-object hashtable
    $Hashtable.Add("othermailbox", $AltEmail)
    Set-ADUser -Identity $UserID  -Title $title -Department $dept -Company $co -Manager $Manager -Mobile $mobile -Replace $Hashtable
    Enable-ADAccount -Identity $UserID
    #Add Account to Distribution List(s)
    	$Groups = ('LIST_DirectSales_All')
    	foreach ($Group in $Groups)
    			Add-ADGroupMember -Identity $Group -Member $UserID
    #Assign O365 License
    Write-Host "
    User Account Creation Completed."
    #Disables User account, Hides from Mailbox, and remove from DLs and Security Groups
    Function Disable{
    Disable-ADAccount -Identity $UserID 
    #Removes Account to Distribution List(s)
    	$Groups = ('')
    	foreach ($Group in $Groups)
    			Remove-DistributionGroupMember -Identity $Group -Member $UserID -Confirm:$False
    # $dl = @()
    	# while ($true)
    	# {
    		# $distroList = read-host "
    		# Remote Employees are automatically removed from groups.
    		# Please enter Distribution List(s) or type 'Quit' to exit"
    			# if ($distroList -eq "quit")	{break}
    			# $dl += $distroList 
    	# }
    #Removes Distribution Lists
    	# foreach ($item in $dl)
    		# {
    		# Remove-DistributionGroupMember -Identity $item -Member $UserID -Confirm:$False
    		# }
    #Removes Security Groups
    # $SecGroup = @()
    	# while ($true)
    		# {
    		# $SecurityGp = read-host "Enter Security Group(s) or type quit to exit"
    			# if ($SecurityGp -eq "quit") {break}
    			# $SecGroup += $SecurityGp
    		# }
    		# foreach ($group in $SecGroup)
    			# {
    				# Remove-ADGroupMember -Identity $group -Member $UserID -Confirm:$False
    			# }
    #Moves Account to Disabled Account OU			
    Search-ADAccount –AccountDisabled –UsersOnly –SearchBase “OU=Disabled,,DC=Domain,DC=COM  | Move-ADObject –TargetPath “OU=Disabled,DC=Domain,DC=COM
    write-Host "Account Disabled and has been moved to the 'Disabled Users OU'"
    #Admin enters the UserID, First and Last name, creates password for the account
    write-host "
    Welcome to the User Creation Program
    NOTE: If you are going to only DISABLE an account you just need to provide UserID, skip all others
    $UserID = read-host "Enter UserID"
    $fn = read-host "Enter First Name"
    $ln = read-host "Enter Last Name"
    $AltEmail = read-host "Enter Alternate Email Address"
    $Manager = read-host "Reporting Manager"
    $mobile = read-host "Enter Mobile Number"
    $alias = $UserID
    $password = (Read-Host "Password" | ConvertTo-SecureString -AsPlainText -Force)
    $dn = $fn + " " + $ln
    $name = $dn
    $samAccountName = "$UserID"
    $UPN = "$"
    $User_Input = Read-Host "
    13)Disable Account
    Make a Selection"
    switch ($User_Input)
    	1{Sales; break}
    	13{Disable Account; break}
    	0{Exit; break}

    Thursday, July 9, 2015 6:43 PM