Active Directory has a setting that forces a user to change his password upon his next login–visible in the AD Users and Computers applet, when right-clicking a user, selecting Properties, then Account…the very first checkbox in the "Account options" list is labeled "User must change password at next login".
This is not quite what I'm after. I've been tasked to find a way to make sure new AD users are forced to change their password during their first login (as in, the very first time they log in, ever). Is there such a policy? Ideally, I need something that works with Server 2003 domains and above.
Actually, that's not the full story…assuming such a policy exists, what I need to do is write a script that verifies that this is how the policy has been configured (that is, confirm that all new users will have to go through the process of getting their passwords changed).
Best Answer
What is being asked here is for a technical security control where currently only an administrative security control exists - a technical enforcement of the existing policy in place that tells admins the change password at next logon box must be checked when creating new users.
The way to do this is with a custom password filter DLL for AD. A password filter is notified when there has been a change to a user password and can take any action required from there. Usually this is used for password sync applications (eg. Syncing AD passwords to Google Apps).
In this case the action would be something like detecting the age of the user account, if less than X minutes then check the change password flag on the user account, if not set then set the flag on the account, therefore removing the admins' ability to not set this flag, intentionally or otherwise.
Custom password filters are described on MSDN, and there is an existing DLL called Password Hook that already does the hard part of what you need - detect a password change and start a program / script specified in a registry key.