Welcome to Powergui.org - an open source community for Windows Powershell

PowerGUI.org PowerGUI.org and blogs

Forums » Active Directory and PowerShell

Thread: Force 'User must change password at next login'

This question is not answered. Helpful answers available: 2. Answered answers available: 1.

Reply to this Thread Reply to this Thread Back to Thread List Back to Thread List Point your RSS reader here for a feed of the latest messages in all forums

Permlink Replies: 4 - Pages: 1 - Last Post: Dec 7, 2011 6:18 AM by: krayz
eduadmin

Posts: 1
Registered: 5/25/10
Force 'User must change password at next login'
Posted: May 25, 2010 12:07 PM 		 
  Click to reply to this thread Reply

I have the following script using New-QADUser to create accounts read from a CSV file.  How can I specify that the created account prompts the user to change the password during next login?

Script command:
Import-CSV C:\xxxxx.csv | ForEach-Object { New-QADUser -Name $_.Name -FirstName $_.First -LastName $_.Last -DisplayName $_.Display -UserPrincipalName $_.Account -samAccountName $_.samAccount -UserPassword $_.Password -Description $_.Description -ParentContainer 'OU=Users,OU=xxx,DC=xx,DC=xxx,DC=edu'}

CSV format:
Name,First,Last,Display,Account,samAccount,Password,Description

Shay Levy


Posts: 2,567
Registered: 1/31/08
Re: Force 'User must change password at next login'
Posted: May 26, 2010 12:01 AM   in response to: eduadmin 		 
  Click to reply to this thread Reply

Pipe New-QADUser to Set-QADUser:

ForEach-Object { New-QADUser -Name $_.Name -FirstName $_.First ... | Set-QADUser -UserMustChangePassword $true }
Shay Levy [MVP]
http://PowerShay.com
PowerShell Toolbar
krayz

Posts: 3
Registered: 11/29/11
Re: Force 'User must change password at next login'
Posted: Nov 29, 2011 11:53 AM   in response to: eduadmin 		 
  Click to reply to this thread Reply

I'm struggling to get this to work with the Set-QADUser piped from New-QADUser. If I remove the pipe and Set-QADUser command, this works just find adding users the way I want, but once I add that Set-QADUser I start getting the error below the script. I've tried both $true and 1 for -UserMustChangePassword both give same error.

Script:
$cred = get-credential # login creds for DC's

Connect-QADService -service "DC IP" -credential $cred

$LIST=Import-Csv C:\pshell\scripts\create_users.csv

#
# Go through EACH item in the list (Header row is treated as variable names by default)
#
FOREACH ($USER in $LIST) {
#
$Firstname=$USER."First Name"
$Lastname=$USER."Last Name"
$USERNAME=$USER.username
$PASSWORD=$USER.password
$mail=$USER.email
#
$domain='@island.local'
#
$ALIAS=$Firstname+" "+$Lastname
$UPN=$Username+$domain
$DISPLAYNAME=$Firstname+" "+$Lastname
#
# SAM USERID cannot be greater than 20 characters - Legacy
#
$SAM=$Username
$Sam=(($Sam+' ').Substring(0,20)).Trimend()
#
#
NEW-QADUSER -ParentContainer 'cn=Users,DC=island,DC=local' -Name $ALIAS -UserPassword $PASSWORD -Firstname $FIRSTNAME -Lastname $LASTNAME -samaccountname $SAM -UserPrincipalName $UPN -displayname $DISPLAYNAME -Email $mail | Set-QADUser -UserMustChangePassword 1
#
}
#
disconnect-QADService


Error:

New-QADUser : The specified domain either does not exist or could not be contacted. (Exception from HRESULT: 0x8007054B)
At C:\pshell\scripts\ADUsers.ps1:44 char:12
+ NEW-QADUSER <<<< -ParentContainer 'cn=Users,DC=island,DC=local' -Name $ALIAS -UserPassword $PASSWORD -Firstname $FIRSTNA
ME -Lastname $LASTNAME -samaccountname $SAM -UserPrincipalName $UPN -displayname $DISPLAYNAME -Email $mail | Set-QADUser -U
serMustChangePassword $true
+ CategoryInfo : NotSpecified: (:) [New-QADUser], COMException
+ FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,Quest.ActiveRoles.ArsPowerShellSnapIn.Powershell
.Cmdlets.NewUserCmdlet


I'm only in my 3rd week of learning Powershell but I've come a very long way. Any help would be great.

Kevin


DrMantis

Posts: 3
Registered: 12/6/11
Re: Force 'User must change password at next login'
Posted: Dec 6, 2011 8:53 PM   in response to: krayz 		 
  Click to reply to this thread Reply

Hi There,

This is how I did mine and it seems to work like a charm. New users loging in for the first time get the password reset prompt:


Function CreateUser
{
Param($Office,$State,$Postal,$Address,$City,$Sitelocation,$SiteGroup,$UserGroup,$Storage)
Write-Host -BackgroundColor Blue "Creating User account for $user..."

 Start-Sleep -Seconds 5
 $newUser = $OU.Create("User","cn=" + $user)
 $newUser.Put("userprincipalname",$LoginName+"@domain")
 $newUser.Put("sAMAccountName",$LoginName)
 $newUser.Put("givenname",$FName)
 $newUser.Put("sn",$LName)
 $newUser.Put("displayName",$user)
 If ($ticket -ne ""){
 $newUser.Put("info","$ticket")
 }
 $newUser.Put("description","$description")
 $newUser.Put("physicalDeliveryOfficeName", $Office)
 If ($Telephone -ne ""){
 $newUser.Put("telephoneNumber",$Telephone)
 }
 If ($Fax -ne ""){
 $newUser.Put("facsimiletelephonenumber",$Fax)
 }
 $newUser.Put("title", $Title)
 $newUser.Put("department",$Department)
 $newUser.Put("manager",$dnpath)
 $newUser.Put("company", $Company)
 $newUser.Put("streetAddress", $Address)
 $newUser.Put("l",$City)
 $newUser.Put("c","AU")
 $newUser.Put("st",$State)
 $newUser.Put("postalCode",$Postal)
 $newUser.SetInfo() 
 $newUser.psbase.InvokeSet('AccountDisabled', $false)
 $newUser.SetInfo()
 $newUser.SetPassword("$PWD")   <------------------ Sets the password
 $newUser.Put("pwdLastSet",0)      <------------------ Enables the "Reset Password at next login"
 $newUser.SetInfo()

Hope this helps.. :)

Regards

krayz

Posts: 3
Registered: 11/29/11
Re: Force 'User must change password at next login'
Posted: Dec 7, 2011 6:18 AM   in response to: krayz 		 
  Click to reply to this thread Reply

Thanks for the reply. I did actually fix it yesterday.

Here is my csv format;
First name,Last name,password,email,admin
Mike,Smith,p@$$w0rd,mike.smith@mydomain.com,n
Jack,Bauer,Trustno1,jbauer@domain24.com,y

My Script;

#Get password for account with user creation rights (password stored as an encrypted variable)
$cred = get-credential # login creds for DC's

Connect-QADService -service 10.66.250.20 -credential $cred

$LIST=Import-Csv C:\pshell\scripts\create_users.csv

#
# Go through EACH item in the list (Header row is treated as variable names by default)
#
FOREACH ($USER in $LIST) {
#
$Firstname=$USER."First Name"
$Lastname=$USER."Last Name"
$USERNAME= $Firstname+"."+$Lastname
$PASSWORD=$USER.password
$mail=$USER.email
$group=$USER.admin
#
$domain='@domain.local'
#
$ALIAS=$Firstname+" "+$Lastname
$UPN=$Username+$domain
$DISPLAYNAME=$Firstname+" "+$Lastname
#
# SAM USERID cannot be greater than 20 characters - Legacy
#
$SAM=$Username
$Sam=(($Sam+' ').Substring(0,20)).Trimend()
#
# Creates a new users with Username, login name, password, and email
NEW-QADUSER -ParentContainer 'cn=Users,DC=domain,DC=local' -Name $ALIAS -UserPassword $PASSWORD -Firstname $FIRSTNAME -Lastname $LASTNAME -samaccountname $SAM -UserPrincipalName $UPN -displayname $DISPLAYNAME -Email $mail
# Forces user to change password at next login
Set-QADUser -Identity $username -UserMustChangePassword $true
# Check to see if the user is in this case a "Domain Admin"
if ($group -eq 'y'){
Add-QADGroupMember -Identity "cn=domain admins,cn=users,dc=domain,dc=local" -Member $USERNAME
}
#
}
#
disconnect-QADService

So far so good, with this script I can setup users in any of my domains that I can reach from my management System.

My next version will be so that the IP of the DC and the CSV files are just switches added to the command line when entering the script.

Hope this helps someone like it has me.


Pages: 1
Back to Thread List Back to Thread List
Legend
MVP: 2501 + pts
Guru: 2001 - 2500 pts
Expert: 751 - 2000 pts
Enthusiast: 31 - 750 pts
Novice: 0 - 30 pts
Moderators
Helpful answer (5 pts)
Answered (10 pts)

Point your RSS reader here for a feed of the latest messages in all forums



© 2011 Quest Software, Inc  |  Legal Agreement  |  Privacy Policy  |  Terms of Use  |  Report a Problem with This Site
Powered By Jive Software