Force 'User must change password at next login'

Your PowerGUI Community: Simplify your PowerShell related GUI and script editing needs.


Force 'User must change password at next login'

This question is not answered
I have the following script using New-QADUser to create accounts read from a CSV file.  How can I specify that the created account prompts the user to change the password during next login?

Script command:
Import-CSV C:\xxxxx.csv | ForEach-Object { New-QADUser -Name $_.Name -FirstName $_.First -LastName $_.Last -DisplayName $_.Display -UserPrincipalName $_.Account -samAccountName $_.samAccount -UserPassword $_.Password -Description $_.Description -ParentContainer 'OU=Users,OU=xxx,DC=xx,DC=xxx,DC=edu'}

CSV format:
Name,First,Last,Display,Account,samAccount,Password,Description
All Replies
  • Pipe New-QADUser to Set-QADUser:

    ForEach-Object { New-QADUser -Name $_.Name -FirstName $_.First ... | Set-QADUser -UserMustChangePassword $true }

  • I'm struggling to get this to work with the Set-QADUser piped from New-QADUser. If I remove the pipe and Set-QADUser command, this works just find adding users the way I want, but once I add that Set-QADUser I start getting the error below the script. I've tried both $true and 1 for -UserMustChangePassword both give same error.

    Script:
    $cred = get-credential # login creds for DC's

    Connect-QADService -service "DC IP" -credential $cred

    $LIST=Import-Csv C:\pshell\scripts\create_users.csv

    #
    # Go through EACH item in the list (Header row is treated as variable names by default)
    #
    FOREACH ($USER in $LIST) {
    #
    $Firstname=$USER."First Name"
    $Lastname=$USER."Last Name"
    $USERNAME=$USER.username
    $PASSWORD=$USER.password
    $mail=$USER.email
    #
    $domain='@island.local'
    #
    $ALIAS=$Firstname+" "+$Lastname
    $UPN=$Username+$domain
    $DISPLAYNAME=$Firstname+" "+$Lastname
    #
    # SAM USERID cannot be greater than 20 characters - Legacy
    #
    $SAM=$Username
    $Sam=(($Sam+' ').Substring(0,20)).Trimend()
    #
    #
    NEW-QADUSER -ParentContainer 'cn=Users,DC=island,DC=local' -Name $ALIAS -UserPassword $PASSWORD -Firstname $FIRSTNAME -Lastname $LASTNAME -samaccountname $SAM -UserPrincipalName $UPN -displayname $DISPLAYNAME -Email $mail | Set-QADUser -UserMustChangePassword 1
    #
    }
    #
    disconnect-QADService


    Error:

    New-QADUser : The specified domain either does not exist or could not be contacted. (Exception from HRESULT: 0x8007054B)
    At C:\pshell\scripts\ADUsers.ps1:44 char:12
    + NEW-QADUSER <<<
    ME -Lastname $LASTNAME -samaccountname $SAM -UserPrincipalName $UPN -displayname $DISPLAYNAME -Email $mail | Set-QADUser -U
    serMustChangePassword $true
    + CategoryInfo : NotSpecified: (:) [New-QADUser], COMException
    + FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,Quest.ActiveRoles.ArsPowerShellSnapIn.Powershell
    .Cmdlets.NewUserCmdlet


    I'm only in my 3rd week of learning Powershell but I've come a very long way. Any help would be great.

    Kevin
  • Hi There,

    This is how I did mine and it seems to work like a charm. New users loging in for the first time get the password reset prompt:


    Function CreateUser
    {
    Param($Office,$State,$Postal,$Address,$City,$Sitelocation,$SiteGroup,$UserGroup,$Storage)
    Write-Host -BackgroundColor Blue "Creating User account for $user..."

     Start-Sleep -Seconds 5
     $newUser = $OU.Create("User","cn=" + $user)
     $newUser.Put("userprincipalname",$LoginName+"@domain")
     $newUser.Put("sAMAccountName",$LoginName)
     $newUser.Put("givenname",$FName)
     $newUser.Put("sn",$LName)
     $newUser.Put("displayName",$user)
     If ($ticket -ne ""){
     $newUser.Put("info","$ticket")
     }
     $newUser.Put("description","$description")
     $newUser.Put("physicalDeliveryOfficeName", $Office)
     If ($Telephone -ne ""){
     $newUser.Put("telephoneNumber",$Telephone)
     }
     If ($Fax -ne ""){
     $newUser.Put("facsimiletelephonenumber",$Fax)
     }
     $newUser.Put("title", $Title)
     $newUser.Put("department",$Department)
     $newUser.Put("manager",$dnpath)
     $newUser.Put("company", $Company)
     $newUser.Put("streetAddress", $Address)
     $newUser.Put("l",$City)
     $newUser.Put("c","AU")
     $newUser.Put("st",$State)
     $newUser.Put("postalCode",$Postal)
     $newUser.SetInfo() 
     $newUser.psbase.InvokeSet('AccountDisabled', $false)
     $newUser.SetInfo()
     $newUser.SetPassword("$PWD")   <------------------ Sets the password
     $newUser.Put("pwdLastSet",0)      <------------------ Enables the "Reset Password at next login"
     $newUser.SetInfo()

    Hope this helps.. :)

    Regards

  • Thanks for the reply. I did actually fix it yesterday.

    Here is my csv format;
    First name,Last name,password,email,admin
    Mike,Smith,p@$$w0rd,mike.smith@mydomain.com,n
    Jack,Bauer,Trustno1,jbauer@domain24.com,y

    My Script;

    #Get password for account with user creation rights (password stored as an encrypted variable)
    $cred = get-credential # login creds for DC's

    Connect-QADService -service 10.66.250.20 -credential $cred

    $LIST=Import-Csv C:\pshell\scripts\create_users.csv

    #
    # Go through EACH item in the list (Header row is treated as variable names by default)
    #
    FOREACH ($USER in $LIST) {
    #
    $Firstname=$USER."First Name"
    $Lastname=$USER."Last Name"
    $USERNAME= $Firstname+"."+$Lastname
    $PASSWORD=$USER.password
    $mail=$USER.email
    $group=$USER.admin
    #
    $domain='@domain.local'
    #
    $ALIAS=$Firstname+" "+$Lastname
    $UPN=$Username+$domain
    $DISPLAYNAME=$Firstname+" "+$Lastname
    #
    # SAM USERID cannot be greater than 20 characters - Legacy
    #
    $SAM=$Username
    $Sam=(($Sam+' ').Substring(0,20)).Trimend()
    #
    # Creates a new users with Username, login name, password, and email
    NEW-QADUSER -ParentContainer 'cn=Users,DC=domain,DC=local' -Name $ALIAS -UserPassword $PASSWORD -Firstname $FIRSTNAME -Lastname $LASTNAME -samaccountname $SAM -UserPrincipalName $UPN -displayname $DISPLAYNAME -Email $mail
    # Forces user to change password at next login
    Set-QADUser -Identity $username -UserMustChangePassword $true
    # Check to see if the user is in this case a "Domain Admin"
    if ($group -eq 'y'){
    Add-QADGroupMember -Identity "cn=domain admins,cn=users,dc=domain,dc=local" -Member $USERNAME
    }
    #
    }
    #
    disconnect-QADService

    So far so good, with this script I can setup users in any of my domains that I can reach from my management System.

    My next version will be so that the IP of the DC and the CSV files are just switches added to the command line when entering the script.

    Hope this helps someone like it has me.