Active Directory Force All Users to Change Passwords on Next Login
-
Here is what I would do.
Run
Get-ADUser -Filter * | select SAMAccountName | export-csv c:\userlist.csvTo pull a list of all users in the domain, filter out service accounts, as you don't want those changed automatically.
Then run this Password Generator
function New-SWRandomPassword { <# .Synopsis Generates one or more complex passwords designed to fulfill the requirements for Active Directory .DESCRIPTION Generates one or more complex passwords designed to fulfill the requirements for Active Directory .EXAMPLE New-SWRandomPassword C&3SX6Kn Will generate four passwords with a length between 8 and 16 chars. .EXAMPLE New-SWRandomPassword -MinPasswordLength 8 -MaxPasswordLength 16 -Count 20 7d&5cnaB !Bh776T"Fw 9"C"RxKcY %mtM7#9LQ9h Will generate four passwords, each with a length of between 8 and 12 chars. .EXAMPLE New-SWRandomPassword -InputStrings abc, ABC, 123 -PasswordLength 4 3ABa Generates a password with a length of 4 containing atleast one char from each InputString .EXAMPLE New-SWRandomPassword -InputStrings abc, ABC, 123 -PasswordLength 4 -FirstChar abcdefghijkmnpqrstuvwxyzABCEFGHJKLMNPQRSTUVWXYZ 3ABa Generates a password with a length of 4 containing atleast one char from each InputString that will start with a letter from the string specified with the parameter FirstChar .OUTPUTS [String] .NOTES Written by Simon Wåhlin, blog.simonw.se I take no responsibility for any issues caused by this script. .FUNCTIONALITY Generates random passwords .LINK http://blog.simonw.se/powershell-generating-random-password-for-active-directory/ #> #New-SWRandomPassword -MinPasswordLength 8 -MaxPasswordLength 16 -Count 4 [CmdletBinding(DefaultParameterSetName='FixedLength',ConfirmImpact='None')] [OutputType([String])] Param ( # Specifies minimum password length [Parameter(Mandatory=$false, ParameterSetName='RandomLength')] [ValidateScript({$_ -gt 0})] [Alias('Min')] [int]$MinPasswordLength = 8, # Specifies maximum password length [Parameter(Mandatory=$false, ParameterSetName='RandomLength')] [ValidateScript({ if($_ -ge $MinPasswordLength){$true} else{Throw 'Max value cannot be lesser than min value.'}})] [Alias('Max')] [int]$MaxPasswordLength = 12, # Specifies a fixed password length [Parameter(Mandatory=$false, ParameterSetName='FixedLength')] [ValidateRange(1,2147483647)] [int]$PasswordLength = 8, # Specifies an array of strings containing charactergroups from which the password will be generated. # At least one char from each group (string) will be used. [String[]]$InputStrings = @('abcdefghijkmnpqrstuvwxyz', 'ABCEFGHJKLMNPQRSTUVWXYZ', '23456789', '!"#%&'), # Specifies a string containing a character group from which the first character in the password will be generated. # Useful for systems which requires first char in password to be alphabetic. [String] $FirstChar, # Specifies number of passwords to generate. [ValidateRange(1,2147483647)] [int]$Count = 1 ) Begin { Function Get-Seed{ # Generate a seed for randomization $RandomBytes = New-Object -TypeName 'System.Byte[]' 4 $Random = New-Object -TypeName 'System.Security.Cryptography.RNGCryptoServiceProvider' $Random.GetBytes($RandomBytes) [BitConverter]::ToUInt32($RandomBytes, 0) } } Process { For($iteration = 1;$iteration -le $Count; $iteration++){ $Password = @{} # Create char arrays containing groups of possible chars [char[][]]$CharGroups = $InputStrings # Create char array containing all chars $AllChars = $CharGroups | ForEach-Object {[Char[]]$_} # Set password length if($PSCmdlet.ParameterSetName -eq 'RandomLength') { if($MinPasswordLength -eq $MaxPasswordLength) { # If password length is set, use set length $PasswordLength = $MinPasswordLength } else { # Otherwise randomize password length $PasswordLength = ((Get-Seed) % ($MaxPasswordLength + 1 - $MinPasswordLength)) + $MinPasswordLength } } # If FirstChar is defined, randomize first char in password from that string. if($PSBoundParameters.ContainsKey('FirstChar')){ $Password.Add(0,$FirstChar[((Get-Seed) % $FirstChar.Length)]) } # Randomize one char from each group Foreach($Group in $CharGroups) { if($Password.Count -lt $PasswordLength) { $Index = Get-Seed While ($Password.ContainsKey($Index)){ $Index = Get-Seed } $Password.Add($Index,$Group[((Get-Seed) % $Group.Count)]) } } # Fill out with chars from $AllChars for($i=$Password.Count;$i -lt $PasswordLength;$i++) { $Index = Get-Seed While ($Password.ContainsKey($Index)){ $Index = Get-Seed } $Password.Add($Index,$AllChars[((Get-Seed) % $AllChars.Count)]) } Write-Output -InputObject $(-join ($Password.GetEnumerator() | Sort-Object -Property Name | Select-Object -ExpandProperty Value)) } } }Specifically
New-SWRandomPassword -MinPasswordLength 8 -MaxPasswordLength 16 -Count 20and change the length, and count to a number the customer is comfortable with.Copy the list of passwords out, and save them into the csv generated in step 1.
And then run this power shell script to reset the user passwords.
Lastly give the passwords from the CSV to the individual employees so they can select their own password.
-
@Grey said in Active Directory Force All Users to Change Passwords on Next Login:
First, this is a Bad Idea(tm). Lots of service accounts may not want to change their accounts and you'll break applications that rely on them. The Administrator (500) account will also have to be reset.
Second, this command should only be used when you feel like a scorched earth method is best. It will piss off everyone in the enterprise.The PS is two components, joined by a pipe.
get-aduser -filter * | set-aduser -ChangePasswordAtNextLogon $trueref: https://technet.microsoft.com/en-us/library/ee617195.aspx & https://technet.microsoft.com/en-us/library/dd391883(v=ws.10).aspx
Good luck. I'm not executing that command to verify that it works, but it should. Woe betide the admin that does this in production.
If you adjust the filter, you can ignore Service accounts and such.
-
If your service accounts are in a specific OU (ours are) then you can also just change the scope to the user's OU.
-
@DustinB3403 why are you injecting a new password when all that was asked was to force the must change at next login Boolean.
-
@JaredBusch Just being lazy and not modifying the powershell that was easily found online.
-
@JaredBusch said in Active Directory Force All Users to Change Passwords on Next Login:
@DustinB3403 why are you injecting a new password when all that was asked was to force the must change at next login Boolean.
Plus in a scorched earth approach, is it wise to trust any existing user password? I'd go the entire thing, and make everyone change their password now.
Rather than at next login.
-
@DustinB3403 said in Active Directory Force All Users to Change Passwords on Next Login:
@JaredBusch said in Active Directory Force All Users to Change Passwords on Next Login:
@DustinB3403 why are you injecting a new password when all that was asked was to force the must change at next login Boolean.
Plus in a scorched earth approach, is it wise to trust any existing user password? I'd go the entire thing, and make everyone change their password now.
Rather than at next login.
But if they are already logged in, it will not make them change immediately anyway when you change the password.
-
@JaredBusch said in Active Directory Force All Users to Change Passwords on Next Login:
@DustinB3403 said in Active Directory Force All Users to Change Passwords on Next Login:
@JaredBusch said in Active Directory Force All Users to Change Passwords on Next Login:
@DustinB3403 why are you injecting a new password when all that was asked was to force the must change at next login Boolean.
Plus in a scorched earth approach, is it wise to trust any existing user password? I'd go the entire thing, and make everyone change their password now.
Rather than at next login.
But if they are already logged in, it will not make them change immediately anyway when you change the password.
But it would stop the use of any existing domain password. If a password was compromised it's better to kill it now, and deal with the fall out later.
-
Rather than having to wait for each user to choose when to log out and back in.
-
@DustinB3403 said in Active Directory Force All Users to Change Passwords on Next Login:
@JaredBusch said in Active Directory Force All Users to Change Passwords on Next Login:
@DustinB3403 said in Active Directory Force All Users to Change Passwords on Next Login:
@JaredBusch said in Active Directory Force All Users to Change Passwords on Next Login:
@DustinB3403 why are you injecting a new password when all that was asked was to force the must change at next login Boolean.
Plus in a scorched earth approach, is it wise to trust any existing user password? I'd go the entire thing, and make everyone change their password now.
Rather than at next login.
But if they are already logged in, it will not make them change immediately anyway when you change the password.
But it would stop the use of any existing domain password. If a password was compromised it's better to kill it now, and deal with the fall out later.
How? because any account already authenticated will not lose access to anything immediately. A new authentication will be required. A new authentication will also require a new password.
-
@JaredBusch said in Active Directory Force All Users to Change Passwords on Next Login:
@DustinB3403 said in Active Directory Force All Users to Change Passwords on Next Login:
@JaredBusch said in Active Directory Force All Users to Change Passwords on Next Login:
@DustinB3403 said in Active Directory Force All Users to Change Passwords on Next Login:
@JaredBusch said in Active Directory Force All Users to Change Passwords on Next Login:
@DustinB3403 why are you injecting a new password when all that was asked was to force the must change at next login Boolean.
Plus in a scorched earth approach, is it wise to trust any existing user password? I'd go the entire thing, and make everyone change their password now.
Rather than at next login.
But if they are already logged in, it will not make them change immediately anyway when you change the password.
But it would stop the use of any existing domain password. If a password was compromised it's better to kill it now, and deal with the fall out later.
How? because any account already authenticated will not lose access to anything immediately. A new authentication will be required. A new authentication will also require a new password.
You aren't reading what I'm saying.
-
@DustinB3403 and the biggest issues is that a user cannot change a password without knowing the existing password.
By spinning the existing passwords, you make the entire process more difficult.
-
@JaredBusch said in Active Directory Force All Users to Change Passwords on Next Login:
@DustinB3403 and the biggest issues is that a user cannot change a password without knowing the existing password.
By spinning the existing passwords, you make the entire process more difficult.
That is with the expectation that you're allowing the user to willfully change the password, I'm saying change the password for the user, and allow them to change it afterwards them selves.
Not to ctrl alt delete change password / per user.
-
@DustinB3403 said in Active Directory Force All Users to Change Passwords on Next Login:
@JaredBusch said in Active Directory Force All Users to Change Passwords on Next Login:
@DustinB3403 said in Active Directory Force All Users to Change Passwords on Next Login:
@JaredBusch said in Active Directory Force All Users to Change Passwords on Next Login:
@DustinB3403 said in Active Directory Force All Users to Change Passwords on Next Login:
@JaredBusch said in Active Directory Force All Users to Change Passwords on Next Login:
@DustinB3403 why are you injecting a new password when all that was asked was to force the must change at next login Boolean.
Plus in a scorched earth approach, is it wise to trust any existing user password? I'd go the entire thing, and make everyone change their password now.
Rather than at next login.
But if they are already logged in, it will not make them change immediately anyway when you change the password.
But it would stop the use of any existing domain password. If a password was compromised it's better to kill it now, and deal with the fall out later.
How? because any account already authenticated will not lose access to anything immediately. A new authentication will be required. A new authentication will also require a new password.
You aren't reading what I'm saying.
I did and changing a password does not stop the use of an already authenticated existing password.
Changing the password only means any new log in attempt will fail.
But resetting the force change on next log in will also cause a new log in to not work until the password is changed.
-
@JaredBusch said in Active Directory Force All Users to Change Passwords on Next Login:
@DustinB3403 said in Active Directory Force All Users to Change Passwords on Next Login:
@JaredBusch said in Active Directory Force All Users to Change Passwords on Next Login:
@DustinB3403 said in Active Directory Force All Users to Change Passwords on Next Login:
@JaredBusch said in Active Directory Force All Users to Change Passwords on Next Login:
@DustinB3403 said in Active Directory Force All Users to Change Passwords on Next Login:
@JaredBusch said in Active Directory Force All Users to Change Passwords on Next Login:
@DustinB3403 why are you injecting a new password when all that was asked was to force the must change at next login Boolean.
Plus in a scorched earth approach, is it wise to trust any existing user password? I'd go the entire thing, and make everyone change their password now.
Rather than at next login.
But if they are already logged in, it will not make them change immediately anyway when you change the password.
But it would stop the use of any existing domain password. If a password was compromised it's better to kill it now, and deal with the fall out later.
How? because any account already authenticated will not lose access to anything immediately. A new authentication will be required. A new authentication will also require a new password.
You aren't reading what I'm saying.
I did and changing a password does not stop the use of an already authenticated existing password.
Changing the password only means any new log in attempt will fail.
But resetting the force change on next log in will also cause a new log in to not work until the password is changed.
And a compromised password would allow an attacker to possibly change the password before the user gets to.
-
@DustinB3403 said in Active Directory Force All Users to Change Passwords on Next Login:
@JaredBusch said in Active Directory Force All Users to Change Passwords on Next Login:
@DustinB3403 said in Active Directory Force All Users to Change Passwords on Next Login:
@JaredBusch said in Active Directory Force All Users to Change Passwords on Next Login:
@DustinB3403 said in Active Directory Force All Users to Change Passwords on Next Login:
@JaredBusch said in Active Directory Force All Users to Change Passwords on Next Login:
@DustinB3403 said in Active Directory Force All Users to Change Passwords on Next Login:
@JaredBusch said in Active Directory Force All Users to Change Passwords on Next Login:
@DustinB3403 why are you injecting a new password when all that was asked was to force the must change at next login Boolean.
Plus in a scorched earth approach, is it wise to trust any existing user password? I'd go the entire thing, and make everyone change their password now.
Rather than at next login.
But if they are already logged in, it will not make them change immediately anyway when you change the password.
But it would stop the use of any existing domain password. If a password was compromised it's better to kill it now, and deal with the fall out later.
How? because any account already authenticated will not lose access to anything immediately. A new authentication will be required. A new authentication will also require a new password.
You aren't reading what I'm saying.
I did and changing a password does not stop the use of an already authenticated existing password.
Changing the password only means any new log in attempt will fail.
But resetting the force change on next log in will also cause a new log in to not work until the password is changed.
And a compromised password would allow an attacker to possible change the password before the user gets to.
And this will be known when the user cannot log in themselves because they will not know the new login and their computer's kerberos will not be valid.
-
@JaredBusch said in Active Directory Force All Users to Change Passwords on Next Login:
@DustinB3403 said in Active Directory Force All Users to Change Passwords on Next Login:
@JaredBusch said in Active Directory Force All Users to Change Passwords on Next Login:
@DustinB3403 said in Active Directory Force All Users to Change Passwords on Next Login:
@JaredBusch said in Active Directory Force All Users to Change Passwords on Next Login:
@DustinB3403 said in Active Directory Force All Users to Change Passwords on Next Login:
@JaredBusch said in Active Directory Force All Users to Change Passwords on Next Login:
@DustinB3403 said in Active Directory Force All Users to Change Passwords on Next Login:
@JaredBusch said in Active Directory Force All Users to Change Passwords on Next Login:
@DustinB3403 why are you injecting a new password when all that was asked was to force the must change at next login Boolean.
Plus in a scorched earth approach, is it wise to trust any existing user password? I'd go the entire thing, and make everyone change their password now.
Rather than at next login.
But if they are already logged in, it will not make them change immediately anyway when you change the password.
But it would stop the use of any existing domain password. If a password was compromised it's better to kill it now, and deal with the fall out later.
How? because any account already authenticated will not lose access to anything immediately. A new authentication will be required. A new authentication will also require a new password.
You aren't reading what I'm saying.
I did and changing a password does not stop the use of an already authenticated existing password.
Changing the password only means any new log in attempt will fail.
But resetting the force change on next log in will also cause a new log in to not work until the password is changed.
And a compromised password would allow an attacker to possible change the password before the user gets to.
And this will be known when the user cannot log in themselves because they will not know th enew login and their computer's kerberos will not be valid.
Yeah... but the door is still open.
So why go with this approach? Why not force a random password, provide that to the users, reboot their equipment and go from there?
-
@DustinB3403 you are chasing ghosts and complicating a basic process for no real benefit.
-
Don't allow the users to choose when.
That's insanity, cause they may never log out.
-
@JaredBusch said in Active Directory Force All Users to Change Passwords on Next Login:
@DustinB3403 you are chasing ghosts and complicating a basic process for no real benefit.
You're leaving the house unlocked and money on the living room floor.
