0

When I manually change an user's password, I get the checkbox "User Must Change Password at Next Logon" (here in italian "Cambiamento obbligatorio password all'accesso successivo") checked by default. What I want is to make this unchecked by default, is this possible? How?

enter image description here

PS: I cannot make the passwords non-expirable like in the following image because of company's policy.

enter image description here

EDIT #1: If I make the password non-expirable, I get the result I want to accompish like in the following image, unfourtunately I cannot do this for company's policy, so if I can make this in other ways good, if not peace for system administrators .

enter image description here

linuxatico
  • 103
  • 5

2 Answers2

2

There is no way to have the checkbox unchecked in the wizard-dialogue by default,
edit: without adding the flag "password never expires" to the user's account that you are resetting the password for. The explanation is, that the flag "user must change password at next logon" actually sets the expiration date of the password in the past, forcing the user to change it at the next logon. Logically, this can only be done, if the account's password can expire.

And there is a difference between having to change the password at first logon (User cannot change password/Cambiamento password non consentito) having a password expiry interval (Password never expires/Nessuna scadenza password). There is no correlation between those two.

My personal advice: don't choose passwords for your users. A password should be known to only one person, which would be the user itself. I'd suggest you chose a temporary password and let the user indeed change it to a secret password upon first logon. You would not only follow best practices but avoid security risks and hand responsibility to your users.

Daniel
  • 6,940
  • 6
  • 33
  • 64
  • Hi Daniel, I edited my question adding some additional explanation. Thanks for your answer. – linuxatico Nov 25 '15 at 10:54
  • @linuxatico That is expected behaviour, because checking "User Must Change Password at Next Logon" does set the expiration date to the past. Hence the forced change upon logon. My answer is still valid. There is no way to have the checkbox disabled by default. But I'll edit my question to better reflect that. – Daniel Nov 25 '15 at 10:56
1

I cannot comment due to low rep. but I wonder why you need this... To save a click when changing password? As @Daniel suggests, you do not want to know user password as is not industry best practice and a security risk. Additionally , as per Italian Privacy Law , administrators cannot know user passwords. Ciao!

Roberto
  • 171
  • 4
  • Ciao Roberto, tra parentesi questa è la prima volta che incontro un italiano nell'universo di StackExchange :) . The request is exactly to save a click... thanks – linuxatico Nov 25 '15 at 11:04
  • anche per me ma penso ce ne siano parecchi :) So, I presume you are facing a huge number of accounts to reset... why not take the powershell road? If you have to reset accounts in bulk you could find useful those links: http://serverfault.com/questions/207115/how-do-i-bulk-reset-passwords-for-all-users-in-an-ou http://blogs.interfacett.com/using-powershell-reset-active-directory-passwords-bulk – Roberto Nov 25 '15 at 11:12
  • Ci sono due o tre italiani qui. O mezzo-italino nel mio caso :) – Daniel Nov 25 '15 at 11:21
  • 1
    You could also take Roberto's advice and prepare a short script that when executed asks you for a username and a new password and simply sets the new password. Although I would not recommend that approach for the reasons explained in my answer. Any way, don't forget to mark an answer. :) – Daniel Nov 25 '15 at 11:24
  • 1
    Via PS you can retain "User Must Change Password at Next Logon" setting intact , using _Set-AdUser -ChangePasswordAtLogon true_ in your script . @Daniel :))) – Roberto Nov 25 '15 at 11:30
  • @Roberto, thanks for the clarification. What I meant was, that I while it is possible, I recommend to no omit that flag. – Daniel Nov 25 '15 at 11:31
  • @Daniel yes, I absolutely second that, mine was just a hint to linuxatico . I smiled because of the somewhat funny situation, where one thinks "hey first time talking to an italian on SF!" and everyone involved in the Q/A activity is , in fact , of italian heritage :) – Roberto Nov 25 '15 at 11:38
  • Grazie a tutti voi. – linuxatico Nov 25 '15 at 11:55