You want to require a user to change her password the next time she logs on to the domain.
220.127.116.11 Using a graphical user interface
18.104.22.168 Using a command-line interface
> dsmod user "<UserDN>" -mustchpwd yes
22.214.171.124 Using VBScript
' This code sets the flag that requires a user to change their password ' ------ SCRIPT CONFIGURATION ------ strUserDN = "<UserDN>" ' e.g. cn=rallen,ou=Sales,dc=rallencorp,dc=com ' ------ END CONFIGURATION --------- set objUser = GetObject("LDAP://" & strUserDN) objUser.Put "pwdLastSet", 0 objUser.SetInfo WScript.Echo "User must change password at next logon: " & strUserDN
When a user changes her password, a timestamp is written to the pwdLastSet attribute of the user object. When the user logs in to the domain, this timestamp is compared to the maximum password age that is defined by the Domain Security Policy to determine if the password has expired. To force a user to change her password at next logon, set the pwdLastSet attribute of the target user to and verify that the user's account doesn't have the never expire password option enabled.
To disable this option so that a user does not have to change her password, set pwdLastSet to -1. These two values (0 and -1) are the only ones that can be set on the pwdLastSet attribute.