Forcing Users to Reset their Password

Sometimes you have a list of users that have had their accounts compromised.  In a recent incident we received a list of users from Google, that were suspected of having followed links to a phishing scam.  As a precaution we advised the users to reset their passwords, but being users many ignored this.  Since our google accounts are tied to AD it was easy to find out which ones had reset their passwords, remove them from the report and then use the remaining list of email addresses to force those accounts to reset their passwords.

The following script accepts a CSV file with a column labeled “email” and then loops over it. For each email address it finds the AD account with that email address and sets the ChangePasswordAtLogon to true, forcing the users to set a new password on their next login. This script will not match aliases but that would be a relatively easy addition.

param(
[Parameter(Mandatory=$true)]
[string]$FileName
)

$addresses = Import-CSV $FileName 

ForEach ($address in $addresses) {
  #couldn't get address.email to work in the filter, so had to work around it
  $email = $address.email
  $aduser = Get-aduser -Filter "emailaddress -eq '$email'" 
  try {
    Set-ADUser $aduser -ChangePasswordAtLogon $true
  } catch {
    Write-Host "Failed to update $email : $_"
  }
}

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s