Setting the 'User Must Change Password at Next Logon' flag does not immediately force the end user t (NETIQKB8049)

  • 7708049
  • 02-Feb-2007
  • 22-May-2013


Directory and Resource Administrator 8.x


Setting the 'User Must Change Password at Next Logon' flag does not immediately force the end user to enter a new password.

When resetting a user account's password or modifying the account's properties, it is possible to set the account and force the user to enter a new password the next time that account logs on.  This is done by setting the flag 'User Must Change Password at Next Logon' for the account.  If this flag is set for a given user account and that user tries to log on immediately afterward, the user might not receive the message that his password must be changed.  After waiting for a period of time and then logging on again, the user receives the message and is able to successfully change the password.


DRA Assistant Admins can select the domain controller to commit changes to when resetting a password, unlocking an account or enabling/disabling a user account. In addition, there are several examples on the knowledge depot of script solutions that will send password changes and UserAccountControl information to either all domain controllers or to a specific domain controller. 

On the knowledge depot is a modified version of the 'Push password changes to all DC's' called PushUpdatesToDCsPostRNC.vbs.  This trigger not only updates the new password to all the DC's but also pushes UserAccountControl information to all the Domain Controllers as well.

Another example on the knowledge depot is PushUpdatesToLastLogonDC.vbs.  This posttask trigger enumerates the $McsLastLogonDomainController of the target user and send the password to this domain controller. The  $McsLastLogonDomainController property is the internal DRA property that holds the last authenticating domain controller of the user.  In order to utilize this script, last logon statistics gathering must be enabled in DRA.


This situation will occur because of the time it takes for Active Directory to replicate changed user account information from one domain controller to another.  The 'User Must Change Password at Next Logon' flag is an active directory property called 'UserAccountControl'.  For this particular situation, the Domain Controller that the Directory & Resource Administrator (DRA) is connected to, is generally the closest in the network environment.  If the end user account was authenticated by a Domain Controller other than the one that DRA is writing changes to, the user must allow enough time for Active Directory to replicate the changed account information to the Domain Controller nearest the user.  The minimum time interval for intra-site Active Directory synchronization will determine how long the end user must wait before logging on.

Additional Information

Utilizing the above trigger script has the potential for causing long response time delays when Domain Controllers are not available or when a large number of Domain Controllers needs to be updated.

Formerly known as NETIQKB8049