Bulk change password at next logon


Because one of our services that are exposed to the internet had the famous Heartbleed bug we had to do a bulk change password at next logon for 1100 users. A pretty easy task (maby to easy for this blog?) but since it´s smoking hot and one of my colleges (let`s call him J.B) asked if I could post the script on the blog, here it is. First I collected all the users in a csv-file, then I imported the csv-file and put the content in an foreach loop and changed the ChangePasswordAtLogon attribute to true. I am not sure if picking the cn attribute is correct but set-ADUser says -Identity should be “LDAP display name” and 5 seconds of sloppy googling I got an answer that cn equels LDAP display name, but I got some errors when setting the attribute in the second script som it might be better to pick sam account name.

Get-ADGroupMember "group name" | where objectclass -eq user | get-adobject -properties * | select cn | export-csv C:\temp\users.txt -NoTypeInformation -Encoding Unicode
$Import = Import-Csv C:\temp\users.txt

foreach ($user in $import)
Set-ADUser -Identity $user.cn -ChangePasswordAtLogon $true
write-host $user.cn