ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    How to expire Windows user password without AD ?

    IT Discussion
    windows active directory
    4
    4
    419
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Emad RE
      Emad R
      last edited by Emad R

      Wish to have setting to expire windows user account on the fly and without delay, so next login he sees the window to create new pass.

      Also wish to run this via command line so I can push via SaltStack

      I found this:
      NET ACCOUNTS /MAXPWAGE:1

      But it is not what I am looking for, I want something to simply expire whenever it gets executed. SS has module for this but it is not working.

      This works
      WMIC USERACCOUNT WHERE Name='MSFuser' SET PasswordExpires=TRUE
      For setting never expire (FALSE), but does not work for expiring it, cause then it will look for value in Group Policy, and sure I can change this but then that will start timer for 42 days then expires, what I want is expire now.

      I want something like this for windows:
      passwd -e

      -e, --expire Immediately expire an accounts password. This in effect can force a user to change his/her password at the users next login.

      EddieJenningsE 1 Reply Last reply Reply Quote 0
      • EddieJenningsE
        EddieJennings @Emad R
        last edited by

        @emad-r said in How to expire Windows user password without AD ?:

        Wish to have setting to expire windows user account on the fly and without delay, so next login he sees the window to create new pass.

        I pretty sure you can do that through Computer Management. Without some research, I'm not sure if it can be done via Powershell. That being said, I'm sure there must be a registry setting that gets toggled, which forces the password expiration; thus, you could connect to the computer remotely and toggle that setting.

        1 Reply Last reply Reply Quote 0
        • black3dynamiteB
          black3dynamite
          last edited by black3dynamite

          For ADUsers
          Set-ADUser -Identity <samAccountName> -ChangePasswordAtLogon $true

          salt 'hostname' cmd.run 'Set-ADUser -Identity <samAccountName> -ChangePasswordAtLogon $true' shell=powershell

          For Local Users
          $user=[ADSI]'WinNT://localhost/account23';
          $user.passwordExpired = 1;
          $user.setinfo()

          https://stackoverflow.com/questions/20705096/how-to-enable-the-user-flag-user-must-change-password-at-next-logon-for-a-loca

          JaredBuschJ 1 Reply Last reply Reply Quote 2
          • JaredBuschJ
            JaredBusch @black3dynamite
            last edited by

            @black3dynamite That forces a change at logon, but does not immediately expire the exisiting password.

            But, if I was in a position to need to do this, I would set that flag and then force logoff the system anyway.

            Because even if you expire the password, Windows does not care about the already logged in session.

            1 Reply Last reply Reply Quote 2
            • 1 / 1
            • First post
              Last post