This tutorial demonstrates how to force a local user account password change in Windows 10 and Windows 11. It includes instructions on how to force password changes using the Command Prompt or PowerShell and using the Local Users and Groups snap-in.
Forcing a user to change their password after next login is often necessary to secure accounts where the password has been compromised or disclosed.
Step-by-step guide to forcing password change at next login
There are several methods you can use to force a user to change their password the next time they sign in to Windows 10 or Windows 11. Note that methods using the Local Users and Groups snap-in are only available in Pro and Enterprise versions of Windows 10 and Windows 11.
Forcing password change at next sign-in using Local Users and Groups
Follow these steps to force a user account to change their password the next time they log in:
- Right-click on the Start button and select Run
- Enter lusrmgr.msc in the Run dialog and press OK to open Local Users and Groups
- In the navigation tree in the left panel of Local Users and Groups, click Users
- In the list of users in the right panel, right-click on the user you want to force to change their password when they next sign in
- Click Properties
- In the user properties dialog, check User must change password at next logon
- Press OK to confirm the change
Note: the Password never expires option cannot be enabled if you wish to force a password reset.
Force local user password change in Windows 10 using the Command Prompt/PowerShell
To force a user to change their password on next logon from the Command Prompt or PowerShell, enter the following command: net user USERNAME /logonpasswordchg:yes
Replace USERNAME with the username of the user you want to force to change their password. You can confirm that this command was successful by running: net user USERNAME
Note: you will need to be running an elevated Command Prompt or PowerShell as an administrator to perform these actions.
Understanding password management in Windows 10 and Windows 11
User accounts in Windows can be local accounts (where all user accounts stored on the PC you are using, common in home and small businesses), or user accounts stored on a Windows Domain (where user data and credentials are centrally stored on servers in an enterprise environment). This tutorial only covers forcing local user accounts to change their password on the next login.
If you are part of a Windows Domain and cannot change your password, you will need to contact your network administrator or IT support to assist you.
Why enforcing password changes is important
There are several common scenarios where enforcing a user password change is important:
- If you are concerned that a user has given their password to others (or written it down where it can be seen), or it has appeared in a password breach
- It is required for compliance reasons
- There has been a personnel change, and you want to prevent a previous employee from using their old credentials
Troubleshooting common issues when managing Windows 10/11 account security
There are a few common issues that can prevent you from forcing a local account password change and managing other Windows 10 and Windows 11 account security settings:
- You must be logged in as an administrator on the local machine to manage account security settings in Windows 10 and Windows 11
- You will also need to be running a Pro or Enterprise version of Windows to access the Local Users and Groups snap-in
- If using the Command-Line or PowerShell, you must be using an elevated prompt (i.e., right-clicking on the shortcut and selecting Run as Administrator)
- If the user’s password is set to never expire, you cannot force a change
Frequently Asked Questions (FAQs)
1. Can you force password change on Windows Domain user accounts?
Yes, you can enforce a password change at next sign-in using Group Policy in Windows Domain environments.
2. How often should users change their passwords?
Security standards such as Payment Card Industry Data Security Standard (PCI DSS) stipulate that passwords must be changed every 90 days. However, passwords should not be changed too frequently: strong passwords should be used, and should only be changed when necessary (for example after a known breach or successful phishing attack). Forcing users to change their passwords too frequently can frustrate them and lead to them using weak or predictable passwords, or writing them down to help remember them.
3. What happens if a local user doesn’t change their password after being prompted in Windows?
If a local user account doesn’t change its password when forced to at the next login, they will not be able to complete the login process and access their desktop until the password is updated.
Enforcing good password security for multiple users in business and education
If you manage more than a few Windows 10 or Windows 11 devices, you may want to manage user passwords, including forcing password change, for multiple users or groups. Centralizing your IT operations by unifying the management of your on-premises (including Windows Domains) and remote machines (including employees’ BYOD Windows devices) gives you full oversight over your IT deployments, and helps you keep users and vital data secure.
Endpoint management by NinjaOne integrates with Windows Domains and Active Directory, allowing you to centrally manage all of your endpoints, and configure user password policies at scale. With secure remote access and automation, you can ensure every Windows 10 and Windows 11 device under your remit is secure.
