Force Password Reset on Logon

What the password reset enforcement Worklet does

This Automox Worklet™ identifies all local user accounts on a Windows endpoint and configures them to require a password reset at the next successful logon. The Worklet uses PowerShell and WMI commands to enumerate accounts and set the necessary password expiration flags.

The remediation phase executes two commands for each user: the first sets password expiration via WMIC, and the second uses the Net User command to set the LogonPasswordChg flag to force the password change prompt at logon.

Unlike manual password resets, the Worklet applies changes simultaneously across all local accounts, eliminating the need for individual user modifications.

Why force password changes at logon

Stale passwords create security vulnerabilities. When users keep the same password for months or years, that credential may already be compromised in a data breach, shared with a coworker, or written on a sticky note.

Use this Worklet when you detect credential exposure, after an employee leaves your organization with administrative access, or when implementing password rotation policies. Mandatory password resets at logon block unauthorized access before attackers can exploit compromised credentials.

Compliance frameworks including NIST 800-53 (IA-5), CIS Benchmarks, and HIPAA Security Rules require password rotation controls. Automating enforcement at the next logon maintains compliance without manual IT intervention.

The Worklet eliminates help desk overhead from manual password reset coordination. Your IT team deploys the policy once and the system enforces it automatically at each affected user's next login attempt.

How password reset enforcement works

1. Evaluation phase: The Worklet is configured to always trigger remediation, verifying that password reset requirements are applied each time the Worklet runs.

2. Remediation phase: The Worklet queries all local user accounts using Get-CimInstance, sets password expiration flags via WMIC, and applies the LogonPasswordChg requirement using the Net User command for each account.

Password reset enforcement requirements

• Windows 7 or later (Server 2008 R2 and above)

• PowerShell 3.0 or higher

• Administrative privileges to modify local user account properties

• WMIC and Net User utilities available on the endpoint (standard with Windows)

Expected logon behavior after password reset enforcement

After remediation, each affected user sees a password change prompt at their next logon attempt. Windows displays the "You must change your password before logging on the first time" message and requires the user to enter a new password that meets your complexity requirements.

The logon process blocks until the user provides a valid new password. The system rejects passwords that do not meet configured complexity rules or password history policies. Once changed successfully, the user gains normal desktop access.

Verify enforcement by checking the LogonPasswordChg flag in user account properties or reviewing the Automox Activity Log. Communicate this policy to users before deployment to prevent help desk surges from unexpected password reset prompts.

How to validate force password reset on logon changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for force password reset on logon.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as the evaluation and remediation scripts.

4. Validate remediation effects from script operations such as Get-CimInstance, Out-Null, Write-Output, then rerun evaluation for compliance.