Share via

Active Directory Password Policy: Changing the [Mast Change] Attribute

49885604 190 Reputation points
2024-11-08T11:10:53.86+00:00

Hello everyone,

Is there an article that specifies how to change the [Mast Change] attribute in Active Directory? I need to modify this parameter for some users to enforce a password change (bypassing the Default Policy - GPO).

Are there any certified articles or scripts available to change this parameter?

Following this article is not enough for me: https://zcusa.951200.xyz/en-us/windows/win32/adsi/user-must-change-password-at-next-logon

Thanks in advance,

Alessio.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,800 questions
Microsoft Intune Security
Microsoft Intune Security
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
455 questions
Microsoft Intune Configuration
Microsoft Intune Configuration
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Configuration: The process of arranging or setting up computer systems, hardware, or software.
1,972 questions
Microsoft Intune Enrollment
Microsoft Intune Enrollment
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Enrollment: The process of requesting, receiving, and installing a certificate.
1,402 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,423 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Domagoj Novak 586 Reputation points
    2025-01-03T15:09:02.49+00:00

    Hello,

    I'm not 100% sure if I understood you correctly, but for changing the parameter "User must change password password at next logon", you can use Powershell or edit it in the account tab of the user in ADUC console manually.

    For PowerShell, you can use Set-ADAccount command with parameter -ChangePasswordAtLogon

    More info about the syntax on:

    https://zcusa.951200.xyz/en-us/powershell/module/activedirectory/set-aduser?view=windowsserver2025-ps

    Kind regards,

    Domagoj

    0 comments
  2. Nick Eckermann 591 Reputation points
    2025-01-03T16:41:35.92+00:00

    Not sure exactly what you are trying to do..

    If you want different password policies for users, you can use something like fine grained password policies to manage them across your org.

    https://zcusa.951200.xyz/en-us/windows-server/identity/ad-ds/get-started/adac/fine-grained-password-policies?tabs=adac

    If you just want to set must change at next logon for a list of user you can use a script to modify the accounts you need to.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.