Worklet: Force password reset Windows

This will force local users (non-AD) to change their password the next time they login.

Note that this script will apply this setting to all local users on the Windows machine. It assumes they have the permissions to change their own passwords, but it does make sure that the passwords aren’t set to never expire. If the password is set to never expire then the command to force a password change won’t succeed.

Evaluation code:

Exit 1

The evaluation code just returns an exit code of 1 to make the remediation code run. The assumption is that you’ll use the worklet scheduler to run this code whenever you want to force a local password change.

Remediation code:

$usrs = Get-WMIObject win32_useraccount

Foreach ($user in $usrs)
{
Set-LocalUser -Name $user.name -PasswordNeverExpires:$false
net user $user.name /LogonPasswordChg:yes
}

The remediation code loops through all the local users and makes sure that the password isn’t set to never expire. Then it sets the LogonPasswordChg to yes, which forces the local user to change their password at next login. You can run lusrmgr.msc on the local machine to check the settings after running the worklet.

2 Likes

It worked - thank you!

Glad to hear it!

This is a great Worklet! Simple and effective way to harden your endpoint and mitigate risk. It’s also simple to setup and quickly deploy thanks to a full cloud native solution.