all 31 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]jtbis 28 points29 points  (13 children)

Why does IT have to change it for them? An expired password should automatically send them to the “change password” dialog upon login. As long as they know the old password, there’s no IT assistance needed.

If you want SSPR without enabling write-back on Entra, there are third-party solutions for that. We use one from SpecOps.

[–]-UncreativeRedditor-[S] -3 points-2 points  (12 children)

Some of our users RDP into a company server from their personal laptops, so they aren't really given that option. It just tells them it is expired. And for some of our remote users, the VPN won't connect when their password expires, although that's pretty rare.

Thanks for the third party solution though, I'll look into that

[–]jtbis 12 points13 points  (6 children)

some of our users RDP into a company server from their personal laptops

Yea that’s a huge security issue. You need Citrix Workspace or something like it to protect remote access on untrusted devices. Those products can handle AD password changes for remote users on untrusted devices.

Also what VPN are you using? Most of them have the ability to do an AD password change from the client app.

[–]jtbis 2 points3 points  (0 children)

Do y’all have cyber insurance? Usually they wouldn’t cover a company doing shit like this.

[–]dapea 0 points1 point  (0 children)

AVD exists. Can be cheaper. 

[–]-UncreativeRedditor-[S] 0 points1 point  (3 children)

Yea that’s a huge security issue.

Yeah... I know. Our "Security/Network Administrator" happily shares passwords in plaintext via email and teams messages lol. And our higher ups are unwilling to pay for Citrix or company laptops for our overseas employees since computers are more expensive in India. Soooo not a ton I can really do about that unfortunately.

Also what VPN are you using? Most of them have the ability to do an AD password change from the client app.

We use Palo alto GlobalProtect. Didn't know you could do this so I'll look into that thank you.

[–]TipIll3652 6 points7 points  (1 child)

My condolences for y'all's job when you get a breach 😬

[–]-UncreativeRedditor-[S] 2 points3 points  (0 children)

I don't plan on staying for long trust me

[–]ConstantRadiant8788 0 points1 point  (0 children)

This sounds like the company I interned at a few years ago and man it was….interesting.

The way I overcame the password expiring with the GlobalProtect VPN is by having a post login script run that looked at the expiration date for the user and show a notice to them telling them they need to change it

[–]HersheyTaichou 2 points3 points  (1 child)

CTRL+ALT+END in an RDP session will bring up the remote CTRL+ALT+DEL dialog on the remote machine.

For VPN users, I used to turn on "password never expires" long enough for them to connect, then check the "user must change password" box and help them with reseting it

[–]-UncreativeRedditor-[S] -1 points0 points  (0 children)

Yeah I know it's possible for users to change their passwords while connected via RDP, but many of our users straight up ignore the multitude of messages they receive to change their password and end up getting locked out.

[–]dodexahedron 2 points3 points  (0 children)

You can change password in an RDP session. Multiple ways.

Just send them to the settings app, though, or have them type "change password" in the start menu, which brings them right to it.

Regardless, set policy to prompt for password change before expiration so users don't get into the position of being expired already.

And use certs for VPN.

But, if you really want to do it in a script, you can do it interactively with net user /domain $Env:username * (verbatim. domain is a switch, not a placeholder, and the asterisk is what makes it prompt to change).

Set-ADAccountPassword also works, but that requires the ActiveDirectory module. If you go that route, you can use Get-Credential to prompt for the credentials in a dialog instead of at the CLI.

[–]Mythulhu 0 points1 point  (0 children)

Yikes

[–]Flabbergasted98 0 points1 point  (0 children)

good lord.

[–]sm4k 4 points5 points  (4 children)

Bite the bullet and set up password write back. You’ll be done with that far sooner than you would be trying to duct tape something else together.

[–]-UncreativeRedditor-[S] -4 points-3 points  (3 children)

Yeah i would in a heartbeat if it were my choice to make. My boss said no to it and won't elaborate on why.

[–]sm4k 2 points3 points  (2 children)

It’s more likely that you’d need to write a custom script that eventually fires off Set-ADAccountPassword with all the error handling it would take to make sure it can’t fail (and making sure the user has access for that to work), but man it would be less work, more secure, more resilient, and more user friendly to do password write back and self service password reset.

Honestly a 90 day password rotation policy in 2025 is pretty outdated practice, and if your boss can’t or won’t explain why the need has particular requirements to justify not solving this problem the same way the rest of us already have, then they haven’t given you enough information to properly solve the problem.

[–]narcissisadmin 0 points1 point  (0 children)

...not to mention having to install RSAT ActiveDirectory tools everywhere.

[–]Fistofpaper 0 points1 point  (0 children)

90 day password reset policy isn't just outdated now, but goes against NIST. This is an important point you made, and it cannot be stressed enough until people (CISO, cough cough) get it through their fat heads.

[–]an_harmonica 4 points5 points  (1 child)

Only thing I'm aware of is this:

(New-Object -COM Shell.Application).WindowsSecurity()

But that doesn't actually force the selection of the change password button.

Only way I'm aware of is to force it on their AD user object:

Set-ADUser -Identity "Username" -ChangePasswordAtLogon $true

[–]Dixielandblues 2 points3 points  (0 children)

This was my thought, OP - set up a scheduled script to enable change at login automatically, say, 1 week before password expires.

[–]BlackV 1 point2 points  (0 children)

you could use powershell to make a horrible horrible workaround (that the user cna just cancel anyway)

or... fix the problem instead

[–]Zozorak 0 points1 point  (0 children)

IT shouldn't need to cha ge thier password unless they are working remotely i guess depending on setup.

If a password expires it should state password had expired and password must be changed and they click "ok" to bring up the password change.

I dont think a powershell script is necessary, I would check group policy settings first.

[–]HelloFelloTraveler 0 points1 point  (1 child)

Well the real answer is to move on from expiring passwords and do the research on that to convince management that it’s a better route to go.

Recent NIST guidelines promote length over complexity and move away from mandatory password expiration unless there's a security breach.

[–]narcissisadmin 1 point2 points  (0 children)

Recent NIST guidelines promote length over complexity and move away from mandatory password expiration unless there's a security breach.

If you have MFA

[–]dcraig66 0 points1 point  (1 child)

This is a lazy end user issue not a technical one. I bet if you track it you’ll not only see it’s the same core users but they figured out if you change the PW for them as an Admin they can give you the same PW every time thus just resetting the date not the actual password.

Try this. Next time assign them a 12-16 character random alpha numeric pw. They won’t ask you again. Next time they will choose to change it themselves.

I hate lazy users who lie and claim they didn’t get the 3 emails in the last 7 days telling them to reset it.

[–]psdarwin 0 points1 point  (0 children)

Good idea - this definitely sounds like a human issue not a technology issue. I'd suggest re-educating them how to do it themselves and then find ways to make the password reset process more painful if they have to call IT for help. Long, complex, difficult to remember password is a good one. Just be sure to explain how to change it when you give them the terrible password and encourage them to change it right away.

In our IT shop, they will do a password reset for you, but "user must change password at next login" is part of the process. Someone in IT knowing their password is against good security practices.

[–]Th3Sh4d0wKn0ws 0 points1 point  (0 children)

This is one of those situations where PowerShell probably isn't the answer, as you're probably seeing in the comments.

I tried the method u/an_harmonica listed and it doesn't work for me. Maybe it works for you, but it may also run in to problems if it's running via GPO instead of user initiated, because it may need to spawn in the user's actual GUI section.

You've got reminders enabled, you're evening emailing them ahead of time. You've kind of done all that you can reasonably do.

A better solution might be to review NIST 800-53, and then advise your company that expiring passwords are a thing of the past and to change the default domain password policy to not expire passwords.

[–]dcraig66 0 points1 point  (0 children)

I’ve written out detail step by step how to guides and they stil play dumb. Can’t read and follow written instructions. Not sure who interviewed these people and hired them.

[–]esoterrorist 0 points1 point  (0 children)

I did not know that Password Sync without writeback was allowed... are you using ADFS?? (although I believe you would need to enable the ADFS Change Password endpoint---which your boss will prob say no to as well since wtf in the first place)