Turn off “user must change password at next logon” checkbox by default when creating new user

active-directorywindows-server-2008-r2

On Windows Server 2008, when you add a new user (manually, i.e. using Server Manager > Roles > Active Directory Domain Services > Active Directory Users and Computers > [site name] > right-click on Users and choose "New" > "User"), the password window has the "User must change password at next logon" checkbox marked by default. I want it to be off by default. Is there any way to achieve this?

Note that I do NOT want a script or what-have-you that will batch update existing users. I want to change the default for adding new users. I am also totally uninterested in any lectures about password security: that setting simply must be turned off for these users, and that's that.

Best Answer

No, there's no way to do that. All you can do is try to "copy" an existing user, maybe it will inherit the setting.

Related Solutions

How is the “change password at next logon” requirement supposed to work with RDP using Network Level Authentication

I'm going to posit that you can't do this. With NLA (network-level authentication) enforced, a user cannot log in remotely and change his or her password.

You can use tsconfig.msc on the Remote Desktop server, right-click the RDP-Tcp connection and choose Properties, and change the security layer drop-down menu to 'RDP Security Layer,' but then you lose NLA. Unfortunately the two settings are mutually exclusive.

If you must have NLA, then you need to establish an alternate method for users to change expired passwords, such as through Outlook Anywhere, or RDWeb Access, or a physical console of a domain-joined workstation, etc.

This is sort of a catch-22 situation, because by design, NLA will not even allocate the system resources necessary to create a Remote Desktop session for you until after your credentials have been verified to be valid. But you would have to connect to a full session, have a desktop created, LogonUI.exe spawned for you, etc., in order to change your password. But you can't have a session because your password is expired. Allowing this would, I believe, open a hole in NLA where a user could bypass NLA and get a session anyway, even though they don't have a good (i.e. not expired) password.

http://support.microsoft.com/kb/2648402 says:

In the protocol specification for CredSSP, there is no reference to the ability to change the user's password while NLA is running. Therefore, the observed behavior can be considered "by design."

CredSSP is the underlying technology that enables NLA, and it does not support password changes. Therefore, password changes are not enabled in MSTSC. Other RD clients that support NLA should be unable to change the user’s password.

Powershell – Must create PowerShell script to change Password Expiry and Date to change next password

AD will not let you change the date a password was last reset, except to 0 (which will force a password change at next login). To do that, you can't set the PwdLastSet manually, you have to use something like the following snippet:

Set-ADUser -Identity JoeBlow -ChangePasswordAtNextLogon $true

Best Answer

Related Solutions

How is the “change password at next logon” requirement supposed to work with RDP using Network Level Authentication

Powershell – Must create PowerShell script to change Password Expiry and Date to change next password

Related Topic