Sometimes you have a list of users that have had their accounts compromised.  In a recent incident we received a list of users from Google, that were suspected of having followed links to a phishing scam.  As a precaution we advised the users to reset their passwords, but being users many ignored this.  Since our google accounts are tied to AD it was easy to find out which ones had reset their passwords, remove them from the report and then use the remaining list of email addresses to force those accounts to reset their passwords.

The following script accepts a CSV file with a column labeled “email” and then loops over it. For each email address it finds the AD account with that email address and sets the ChangePasswordAtLogon to true, forcing the users to set a new password on their next login. This script will not match aliases but that would be a relatively easy addition.

param(
[Parameter(Mandatory=$true)]
[string]$FileName
)

$addresses = Import-CSV $FileName 

ForEach ($address in $addresses) {
  #couldn't get address.email to work in the filter, so had to work around it
  $email = $address.email
  $aduser = Get-aduser -Filter "emailaddress -eq '$email'"
  try {
    Set-ADUser $aduser -ChangePasswordAtLogon $true
  } catch {
    Write-Host "Failed to update $email : $_"
  }
}