Require all local user accounts to reset passwords at next logon
This Automox Worklet™ identifies all local user accounts on a Windows endpoint and configures them to require a password reset at the next successful logon. The Worklet uses PowerShell and WMI commands to enumerate accounts and set the necessary password expiration flags.
The remediation phase executes two commands for each user: the first sets password expiration via WMIC, and the second uses the Net User command to set the LogonPasswordChg flag to force the password change prompt at logon.
Unlike manual password resets, the Worklet applies changes simultaneously across all local accounts, eliminating the need for individual user modifications.
Stale passwords create security vulnerabilities. When users keep the same password for months or years, that credential may already be compromised in a data breach, shared with a coworker, or written on a sticky note.
Use this Worklet when you detect credential exposure, after an employee leaves your organization with administrative access, or when implementing password rotation policies. Mandatory password resets at logon block unauthorized access before attackers can exploit compromised credentials.
Compliance frameworks including NIST 800-53 (IA-5), CIS Benchmarks, and HIPAA Security Rules require password rotation controls. Automating enforcement at the next logon maintains compliance without manual IT intervention.
The Worklet eliminates help desk overhead from manual password reset coordination. Your IT team deploys the policy once and the system enforces it automatically at each affected user's next login attempt.
Evaluation phase: The Worklet is configured to always trigger remediation, verifying that password reset requirements are applied each time the Worklet runs.
Remediation phase: The Worklet queries all local user accounts using Get-CimInstance, sets password expiration flags via WMIC, and applies the LogonPasswordChg requirement using the Net User command for each account.
Windows 7 or later (Server 2008 R2 and above)
PowerShell 3.0 or higher
Administrative privileges to modify local user account properties
WMIC and Net User utilities available on the endpoint (standard with Windows)
After remediation, each affected user sees a password change prompt at their next logon attempt. Windows displays the "You must change your password before logging on the first time" message and requires the user to enter a new password that meets your complexity requirements.
The logon process blocks until the user provides a valid new password. The system rejects passwords that do not meet configured complexity rules or password history policies. Once changed successfully, the user gains normal desktop access.
Verify enforcement by checking the LogonPasswordChg flag in user account properties or reviewing the Automox Activity Log. Communicate this policy to users before deployment to prevent help desk surges from unexpected password reset prompts.
Run this Worklet on a pilot Windows endpoint and review evaluation output for force password reset on logon.
Confirm Automox activity logs show successful completion and exit code 0.
Verify endpoint state using checks aligned to evaluation script logic, such as the evaluation and remediation scripts.
Validate remediation effects from script operations such as Get-CimInstance, Out-Null, Write-Output, then rerun evaluation for compliance.


By submitting this form you agree to our Master Services Agreement and Privacy Policy.
Already have an account? Log in
Consider Worklets your easy button
A Worklet is an automation script, written in Bash or PowerShell, designed for seamless execution on endpoints – at scale – within the Automox platform. Worklet automation scripts perform configuration, remediation, and the installation or removal of applications and settings across Windows, macOS, and Linux.

AUTOMOX + WORKLETS™
Uncover new possibilities with simple, powerful automation.
By submitting this form you agree to our Master Services Agreement and Privacy Policy