This will force local users (non-AD) to change their password the next time they login.
Note that this script will apply this setting to all local users on the Windows machine. It assumes they have the permissions to change their own passwords, but it does make sure that the passwords aren’t set to never expire. If the password is set to never expire then the command to force a password change won’t succeed.
The evaluation code just returns an exit code of 1 to make the remediation code run. The assumption is that you’ll use the worklet scheduler to run this code whenever you want to force a local password change.
$usrs = Get-WMIObject win32_useraccount
Foreach ($user in $usrs)
Set-LocalUser -Name $user.name -PasswordNeverExpires:$false
net user $user.name /LogonPasswordChg:yes
The remediation code loops through all the local users and makes sure that the password isn’t set to never expire. Then it sets the LogonPasswordChg to yes, which forces the local user to change their password at next login. You can run lusrmgr.msc on the local machine to check the settings after running the worklet.