Windows 11 local user, force password change on login
Posted by theslats@reddit | sysadmin | View on Reddit | 4 comments
For many years this was accomplished with
net user $user /logonpasswordchg:yes
or
$user = [ADSI]"WinNT://$env:ComputerName/LocalUserName,user"
$user.PasswordExpired = 1
$user.SetInfo()
These do not seem to work any more. Is there a newer solution?
Totallynotaswede@reddit
If you want to set the local administrator account regardless of naming / region to force password change:
Get-LocalUser | Where-Object {$_.SID -like "S-1-5-21-*-500"} | Set-LocalUser -PasswordExpired $true
You can use something like this if you want the user running the script to be the target:
$currentUser = [System.Security.Principal.WindowsIdentity]::GetCurrent() Get-LocalUser | Where-Object {$_.SID -eq $currentUser.User} | Set-LocalUser -PasswordExpired $true
theslats@reddit (OP)
PasswordExpired is not a parameter that can be used by Set-LocalUser at least on PS 5.1
Totallynotaswede@reddit
Oh! Then you can use net user $var /logonpasswordchg:yes
It might be that its set to password never expires to true and you have to change to false for it to trigger
theslats@reddit (OP)
Yeah, that is what I figured out today. I removed the never-expire flag and my scripts returned to work.