SOLVED
Home

How to force all users to change password with ADConnect ?

%3CLINGO-SUB%20id%3D%22lingo-sub-356151%22%20slang%3D%22en-US%22%3EHow%20to%20force%20all%20users%20to%20change%20password%20with%20ADConnect%20%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-356151%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EI%20have%20a%20quick%20question%20regarding%20resetting%20the%20password%20for%20all%20users%20in%20the%20company.%3C%2FP%3E%3CP%3EI%20understood%20that%20password%20policy%20is%20synced%20to%20AAD%20from%20the%20onprem%20AD.%3C%2FP%3E%3CP%3E1)%20If%20the%20password%20policy%20is%20changed%20(onprem)%2C%20no%20expiration%20date%20applied%2C%20will%20users%20be%20invited%20to%20renew%20the%20pw%20on%20domain%20join%20devices%20%3F%26nbsp%3B%3C%2FP%3E%3CP%3E2)%20I%20assume%20policy%20change%20will%20be%20replicated%20to%20AAD%2C%20will%20users%20that%20have%20%22AAD%20join%22%20devices%20get%20invited%20to%20renew%20the%20pw%20%3F%3C%2FP%3E%3CP%3EOr%20else%20what%20is%20generally%20the%20proper%20way%20to%20achieve%20this%20for%20all%20users%20in%20the%20company%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-356151%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-356300%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20force%20all%20users%20to%20change%20password%20with%20ADConnect%20%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-356300%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3Eif%20you're%20using%20Hybrid%20Identity%20(e.g.%20with%20AzureAD-Connect)%20the%20passwords%20are%20mainly%20stored%20in%20the%20OnPrem%20AD.%20If%20you're%20using%20PHS%20the%20Hashes%20are%20synced%2C%20if%20you're%20using%20PTA%2FADFS%20they%20are%20not%20synced%20-%20but%20the%20main%20password%20is%20stored%20at%20the%20user%20object%20in%20AD.%3C%2FP%3E%3CP%3EIf%20you%20set%20the%20flag%20%22user%20must%20change%20password%20at%20next%20logon%22%20at%20the%20user%20object%20in%20AD%20the%20user%20has%20to%20change%20his%20password.%3C%2FP%3E%3CP%3EAfaik%20this%20works%20on%20domain%20joined%20clients%2C%20the%20ADFS%20pages%20and%20on%20AAD%20and%20AAD-joined%20Devices%20(when%20PW-Writeback%20is%20enabled).%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20answer%20your%20question%3A%20Set%20the%20flag%20for%20your%20user%20and%20test%20in%20your%20environment.%20After%20testing%20set%20the%20flag%20for%20more%20users%20(maybe%20via%20PowerShell)%20or%20configure%20a%20password%20policy%20via%20GPO%20in%20your%20AD%20which%20forces%20the%20user%20to%20change%20their%20passwords%20periodicaly.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Djavan ROA
Contributor

Hi,

I have a quick question regarding resetting the password for all users in the company.

I understood that password policy is synced to AAD from the onprem AD.

1) If the password policy is changed (onprem), no expiration date applied, will users be invited to renew the pw on domain join devices ? 

2) I assume policy change will be replicated to AAD, will users that have "AAD join" devices get invited to renew the pw ?

Or else what is generally the proper way to achieve this for all users in the company ?

1 Reply
Solution

Hi,

if you're using Hybrid Identity (e.g. with AzureAD-Connect) the passwords are mainly stored in the OnPrem AD. If you're using PHS the Hashes are synced, if you're using PTA/ADFS they are not synced - but the main password is stored at the user object in AD.

If you set the flag "user must change password at next logon" at the user object in AD the user has to change his password.

Afaik this works on domain joined clients, the ADFS pages and on AAD and AAD-joined Devices (when PW-Writeback is enabled). 

 

To answer your question: Set the flag for your user and test in your environment. After testing set the flag for more users (maybe via PowerShell) or configure a password policy via GPO in your AD which forces the user to change their passwords periodicaly.

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies