Share via

How to change the password of every user in a container (or domain) to a default, and require them to change their password at next logon

  • Article

This method utilizes a tool called dsmod.exe, built in to Windows Server 2003, to modify the user's password, set the User must change password at next logon flag, and the Password Never Expires flag to null (if Pwd Never Expires is set, running just a "-mustchpwd yes" would fail).

 

On a Windows 2003 DC:

1.       Dump all of the users from a specific OU, domain, or container to create a bulk list of users (for whom we want to change the password), listed by distinguished name (DN):

Ldifde –d ou=OUname,DC=domain,DC=com –r (objectclass=user) –l DN –f c:\users.txt

 

Note: Change "DC=domain,DC=com" to your domain name, or the container in your domain in which the users exist.

2.       Open users.txt in notepad in order to remove two superfluous repetitive pieces of information we don’t need in the file. This will leave us with just DNs (don’t worry, empty lines can be left, they will not matter)

a.       Edit menu -> Replace ALL

b.      Replace “dn: “ with nothing

c.       Replace “changetype: add” with nothing

d.      This leaves us with a file that has a user’s DN on one line, then two lines of blank space, then another user’s DN, and so on. This is our “answer” file for the next step.

3.      We now run a for loop, which will set the password for every user to <password> (enter a password here, remembering to satisfy password policy complexity requirements) and set their account to be required to change the password at net logon:

a.       For /f “eol= tokens=1 delims=” %i in (c:\users.txt) do dsmod user “%i” –pwd <password> -mustchpwd yes –pwdneverexpires no

b.      Type it exactly as written above, including spaces. Make sure that the password meets complexity requirements. The for loop will run through every user in the users.txt file, changing their password, setting the Password Never Expires flag to null (in order to be able to set the User Must Change Password at Next Logon flag) and then sets the flag to have the user change password at next logon.