Using cusrmgr, you can set User Must Change Password at Next Logon.
You can use:
to select multiple users in your domain.
I have chosen to use DomGroupMembers from tip 4647 to invoke the UserMustChangePassword.bat script, which you place in a folder in my PATH.
The syntax for using UserMustChangePassword.bat is the general syntax for DomGroupMembers, which is:
DomGroupMembers Group "Command" \[ExludeList\]
The specific syntax for this solution is:
DomGroupMembers "DomainGroup" "call UserMustChangePassword.bat %user%" \[ExludeList\]:
where "DomainGroup" is any domain group, such as "Domain Users" or "Eastern Sales".
NOTE: You must change the PDCName in the UserMustChangePassword.bat script to be your PDC emulator.
You may also remove the @echo User %1 must change password at next logon line, if you don't wish to display the users who have been affected.
@echo off setlocal :: Determine if Password Never Expires. for /f "Skip=11 Tokens=2-3" %%i in ('net user %1 /domain') do if "%%i"=="expires" set when="%%j" if %when% EQU "Never" goto done :: Change PDCName to be your PDC Emulator cusrmgr -u %1 +s MustChangePassword -m \\PDCName>nul 2>&1 :: You may remove the following echo. @echo User %1 must change password at next logon :done endlocal