locked
Remove the "User must change password at next logon" for all users. RRS feed

  • Question

  • Hello,

    I've searched all over the net and tried many times myself, but I am unable to get this to work.  I have migrated 172 users from cross forest and they are currently sitting in 'OU=Migration, OU=Kansas City, OU=Users' and I'm unable to figure out how to select just those users and what to attribute though powershell to set for each of them.

    Thank for any help in advance,
    Tuesday, September 22, 2009 12:39 AM

Answers

  • Can you use the quest cmdlets?
    http://www.quest.com/activeroles-server/arms.aspx

    If so, you could do something like this:

    Get-QADUser -SearchRoot 'OU=TestOU,DC=Domain,DC=COM' | Set-QADUser -UserMustChangePassword $false

    This will pipe all of the users in the specified OU to the Set-QadUser cmdlet and remove the "User must change password at next logon" setting.
    • Proposed as answer by David Shen Tuesday, September 22, 2009 6:43 AM
    • Marked as answer by David Shen Monday, September 28, 2009 3:16 AM
    Tuesday, September 22, 2009 2:29 AM
  • By importing do you mean adding the quest snap-in? If so, here's how you would do it:

    Add-PSSnapin Quest.ActiveRoles.ADManagement

    For the searchroot you can use either DN or canonical name:

    Get-QADUser -SearchRoot "OU=Child,OU=Parent,DC=Domain,DC=Com"

    or

    Get-QADUser -SearchRoot "domain.com/Parent/Child"
    • Proposed as answer by David Shen Thursday, September 24, 2009 2:37 AM
    • Marked as answer by David Shen Monday, September 28, 2009 3:16 AM
    Wednesday, September 23, 2009 7:39 PM

All replies

  • Can you use the quest cmdlets?
    http://www.quest.com/activeroles-server/arms.aspx

    If so, you could do something like this:

    Get-QADUser -SearchRoot 'OU=TestOU,DC=Domain,DC=COM' | Set-QADUser -UserMustChangePassword $false

    This will pipe all of the users in the specified OU to the Set-QadUser cmdlet and remove the "User must change password at next logon" setting.
    • Proposed as answer by David Shen Tuesday, September 22, 2009 6:43 AM
    • Marked as answer by David Shen Monday, September 28, 2009 3:16 AM
    Tuesday, September 22, 2009 2:29 AM
  • I don't know how to import the quest cmdlets, but I 'll attempt figuring it out.

    How do you specify an OU within an OU?  I'm unable to specify any heirarchy.  eg. 'OU=Parent,OU=Child,DC=Domain,DC=Com'
    Wednesday, September 23, 2009 5:39 PM
  • By importing do you mean adding the quest snap-in? If so, here's how you would do it:

    Add-PSSnapin Quest.ActiveRoles.ADManagement

    For the searchroot you can use either DN or canonical name:

    Get-QADUser -SearchRoot "OU=Child,OU=Parent,DC=Domain,DC=Com"

    or

    Get-QADUser -SearchRoot "domain.com/Parent/Child"
    • Proposed as answer by David Shen Thursday, September 24, 2009 2:37 AM
    • Marked as answer by David Shen Monday, September 28, 2009 3:16 AM
    Wednesday, September 23, 2009 7:39 PM
  • This is an old thread but here is a one liner...   

    get-qaduser -ou "your OU as a path" -don'tincludedefaultpropterties | % { set-quaduser $_.samAccountName  -usermustchangepassword  $true}

    • Proposed as answer by _.Null Thursday, July 17, 2014 2:20 PM
    Thursday, July 17, 2014 2:19 PM
  • Works perfectly!!!  Went through and reset the attribute on 1174 migrated objects.  Going to save a lot of extra admin time.

    Stanley E. Noel Jr

    Wednesday, August 16, 2017 7:07 PM
  • The Set-ADUser Cmdlet has this option:    -ChangePasswordAtLogon:$False  

    Get-ADUser (-identity or -filter)  | Set-ADUser -ChangePasswordAtLogon:$False 

    Thursday, August 2, 2018 8:57 PM