Access Denied: Forcing All Users to Change Their Password at Next Logon

We recently enabled a maximum password age and want to put it into effect for all our users. The Microsoft Management Console (MMC) Active Directory Users and Computers snap-in doesn't seem to have a multiple select option for changing user accounts. What's the easiest way to select the User must change password at next logon check box for many users at once in Active Directory (AD)?

The easiest way to do this task is to use the Addusers utility to produce a text file of usernames, then use the For command to execute a Net User command for each user and select the User must change password at next logon check box. First, run the command

addusers /d users.txt

which produces a users.txt file that contains a list of all users, global groups, and local groups in AD. Open users.txt, locate the [Global] line, and delete that line and everything after it to get rid of all the groups listed in the file. Save and close users.txt.

Next, run

for /f   "skip=1 tokens=1 delims==, "  %i in (junk.txt) do cusrmgr -u  %i +s MustChangePassword

The For command skips the first line of the file (i.e., [User]), then inserts the username (i.e., the first string from each line in the file) in place of %i in the Cusrmgr command. The Cusrmgr portion of the code then equates to

cusrmgr -u  +s  MustChangePassword

This Cusrmgr command selects the User must change password at next logon check box for the username that appears in the username variable.