What i am attempting to accomplish is a simple script that i can deploy via citrix for users to reset their password. I have gotten so far but now need some help.
To avoid sending passwords my script just asks the user if they’d like to reset their password. If they choose YES then it sets the AD attribute “user must change password at next logon” to true. The script then directs them to close their Citrix session and log on again, which will then prompt them to change their password.
My issue is when testing this with a regular user account they do not have access to Active Directory to edit their users attributes.
Script is as follows
###################################
$user = Read-Host -Prompt ‘Please enter your username’
$maxPasswordAge = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days
$passwordexpires = Get-ADUser $user –Properties * | Select-Object -Property @{n=“ExpirationDate”;e={$_.PasswordLastSet.AddDays($maxPasswordAge)}}
Write-Host “Your password expires on the following date $passwordexpires”
$answer = Read-Host ‘Would you like to change your password now? Please type Y or N’
If ($answer -eq ‘Y’) {
Set-ADUser -Identity $user -ChangePasswordAtLogon $true
Write-Host “Please close your Citrix browswer session and log back on. You will be prompted to change your password”
}
Else {
Write-Host ‘You will not be prompted to change your password’
}
Start-Sleep -Seconds 15
######################################
Yes i know there are easier ways of changing passwords. We need this because we were recently acquired. All of our users computers have been changed over the new companies, on their domain, on their network. There are legacy things still on our old domain that the users will need their old creds for and mgmt wants a way for them to be proactive in changing their password.
I am thinking I’ll need to create a service account in AD that has rights to change the “user must change password at next logon” attribute. How can i think incorporate that into my script above so when the user launches this via citrix it’s under the alternative credentials of the service account, so when they do select YES it can change that attribute to TRUE.
Thanks in advance.