Can anyone tell me how to disable the ‘must change password’ option when resetting a password in Active Directory? The box for that is checked by default. I want it to be not checked and greyed out so that a person resetting a password can not force that setting. If you must know, I want this because people generally only connect with remote desktop and with Network Level Authentication (NLA) set, it prevents the change password dialog box from coming up and thus, if that option is set, a person is effectively locked out making it useless at best.
Asked
Active
Viewed 243 times
-2
-
Server operational questions belong on ServerFault.com – T-Heron Dec 25 '21 at 22:01
1 Answers
0
an account with "reset user password permission" will be able to set or unset "change password at next logon" attribute.
And of course if this value is set, the user will still be able to login remotely with this password to exchange OWA (if used) and change his password at first login (which is preferred)
but if you have a problem instructing the user to login to OWA; you can schedule a script to list the accounts with "user must change password at next logon" and unset them automatically as follow
Get-ADUser -LDAPFilter "(pwdLastSet=0)" | where {$_.enabled -eq $true} | Set-ADUser -ChangePasswordAtLogon $false
Mahmoud Moawad
- 697
- 7
- 14