Skip to main content

How to Force a Password Change at Next Logon in Batch Script

When you create a new user account or reset a password for a colleague who forgot theirs, it is a security best practice to ensure that you (the administrator) are not the only one who knows the credentials. By flagging the account to "Require a password change at next logon," you force the user to choose their own private password the moment they sign in. While typically managed via the "Active Directory" or "Computer Management" GUI, this can be automated using a simple Batch script. This guide explains how to use the net user command to enforce this security requirement.

Why Force a Password Change?

  • Privacy and Non-Repudiation: Ensuring that the user is the only person who knows their password, which prevents them from later claiming an action was performed by someone else.
  • Onboarding Security: Setting a simple "Generic" password (like Welcome2026!) for a new hire and ensuring they immediately replace it with a strong, custom one.
  • Help Desk Standards: Following the standard protocol of "Reset and Force Change" whenever a user reports a lost password.
Local vs. Domain

The net user command targets the Local computer by default. In a network environment, you must add the /domain flag to push this requirement out to the centralized Domain Controllers.

Method 1: Using Net User (The Fast Method)

The /logonpasswordchg flag is the specific switch used to toggle the "Must change" requirement.

@echo off
setlocal

:: Check for admin rights
net session >nul 2>&1
if %errorlevel% neq 0 (
    echo [ERROR] Administrator privileges are required.
    pause
    exit /b 1
)

set "USN="
set /p "USN=Username to flag: "

if not defined USN (
    echo [ERROR] No username entered.
    pause
    exit /b 1
)

:: Remove surrounding quotes if the user typed them
set "USN=%USN:"=%"

:: Verify user exists
net user "%USN%" >nul 2>&1
if %errorlevel% neq 0 (
    echo [ERROR] User "%USN%" not found on this computer.
    pause
    exit /b 1
)

echo [PROCESS] Configuring security flags for "%USN%"...

:: 'yes' enables the requirement
net user "%USN%" /logonpasswordchg:yes >nul 2>&1

if %errorlevel% equ 0 (
    echo [SUCCESS] User "%USN%" must change their password at next logon.
) else (
    echo [ERROR] Failed to update. Code: %errorlevel%
)
pause
endlocal

Method 2: Disabling the Requirement

If you are setting up a specialized account (like for a kiosk or a service) and want to remove the "Must change" flag, you set it to no.

@echo off
setlocal

:: Check for admin rights
net session >nul 2>&1
if %errorlevel% neq 0 (
    echo [ERROR] Administrator privileges are required.
    pause
    exit /b 1
)

set "USN="
set /p "USN=Username to clear flag for: "

if not defined USN (
    echo [ERROR] No username entered.
    pause
    exit /b 1
)

:: Remove surrounding quotes if the user typed them
set "USN=%USN:"=%"

:: Verify user exists
net user "%USN%" >nul 2>&1
if %errorlevel% neq 0 (
    echo [ERROR] User "%USN%" not found on this computer.
    pause
    exit /b 1
)

echo [PROCESS] Removing password change requirement for "%USN%"...

:: 'no' removes the requirement
net user "%USN%" /logonpasswordchg:no >nul 2>&1

if %errorlevel% equ 0 (
    echo [SUCCESS] Password change requirement removed.
    echo [NOTE] The current password will remain valid.
) else (
    echo [ERROR] Failed to update. Code: %errorlevel%
)
pause
endlocal

Creating a Professional "Reset and Force" Tool

This script is perfect for help desk technicians. It prompts for credentials securely, resets the password, and locks the user into a mandatory change.

@echo off
setlocal EnableDelayedExpansion

echo ============================================================
echo   Identity Security Refresh Tool
echo ============================================================

:: 1. Verify Admin Rights
net session >nul 2>&1
if !errorlevel! neq 0 (
    echo [CRITICAL] Administrator privileges are required.
    pause
    exit /b 1
)

:: 2. Get username
set "USN="
set /p "USN=Username to Reset: "

if not defined USN (
    echo [ERROR] No username entered.
    pause
    exit /b 1
)

:: Remove surrounding quotes
set "USN=!USN:"=!"

:: Verify user exists locally
net user "!USN!" >nul 2>&1
if !errorlevel! neq 0 (
    echo [ERROR] User "!USN!" not found on this computer.
    pause
    exit /b 1
)

:: 3. Get temporary password
echo Enter temporary password:
set "TMP_PWD="
set /p "TMP_PWD="

if not defined TMP_PWD (
    echo [ERROR] No password entered.
    pause
    exit /b 1
)

:: Remove surrounding quotes
set "TMP_PWD=!TMP_PWD:"=!"

:: 4. Reset and Flag in one command
echo.
echo [PROCESS] Updating credentials and security flags...
net user "!USN!" "!TMP_PWD!" /logonpasswordchg:yes >nul 2>&1

if !errorlevel! equ 0 (
    echo [SUCCESS] Password has been reset.
    echo [INFO] The user MUST change it upon their next sign-in.
    echo.
    echo [IMPORTANT] Communicate the temporary password to the user
    echo            via a secure channel (in person, encrypted message^).
) else (
    echo [FAIL] Error updating account. Code: !errorlevel!
    echo [HELP] The temporary password may not meet complexity
    echo        requirements. Try a stronger password.
)

:: Clear sensitive variable
set "TMP_PWD="
set "USN="

echo ============================================================
pause

Common Pitfalls and How to Avoid Them

Administrative Rights

Modifying user security flags is a privileged operation. You must run your Batch script (and CMD) as an Administrator. Failure to do so will result in an "Access Denied" error.

Account Lockouts

If a user tries to log in and ignores the prompt to change their password (or if their system doesn't support the prompt, like some legacy VPN clients), they might find themselves trapped in a loop where they cannot log in.

SEO and UX Tip

Advise your users that if the system says "The user must change their password before logging on for the first time," it is a direct result of this Batch command. If the user is on a "Remote Desktop" connection, they may need to use Ctrl+Alt+End to access the change screen.

Best Practices for Credential Security

  1. Use Strong Temp Passwords: Even if the user will change it in 5 seconds, never use common words like Password123 as your temporary reset.
  2. Combine with Complexity: The "Force Change" only works if your system also enforces Password Complexity. Ensure your complexity policies are active so the user can't just change Temp123 to Temp124.
  3. Monitor via Event Log: A successful "Must Change" event is logged in the Security log. Audit these to ensure your technicians are following the reset protocols.
Service Accounts

Never force a password change on a Service Account or a Scheduled Task account. Since these accounts log in automatically without a human present to see the prompt, the "Force Change" flag will break your application's background processing.

Conclusion

Requiring a user to change their password at next logon via Batch script is a fundamental prerequisite for maintaining a professional and secure Windows infrastructure. By leveraging the net user utility to automate this security standard during every reset and onboarding, you can ensure the privacy of your users and the integrity of your organization's identities. This professional approach to system management reduces the risk of credential misuse, simplifies help desk workflows, and provides a clear, automated mechanism for enforcing your organization's highest security standards across the entire Windows network.

Table of Contents