Using cusrmgr, you can set User Must Change Password at Next Logon.

You can use:

tip 3410 » General purpose Domain User Properties reporting script. OR

tip 4646 » How do I run commands on my domain controller for every user? OR

tip 4647 » How do I run commands on my domain controller for every member of a domain group?

to select multiple users in your domain.

I have chosen to use DomGroupMembers from tip 4647 to invoke the UserMustChangePassword.bat script, which you place in a folder in my PATH.

The syntax for using UserMustChangePassword.bat is the general syntax for DomGroupMembers, which is:

DomGroupMembers Group "Command" \[ExludeList\]

The specific syntax for this solution is:

DomGroupMembers "DomainGroup" "call UserMustChangePassword.bat %user%" \[ExludeList\]:

where "DomainGroup" is any domain group, such as "Domain Users" or "Eastern Sales".

NOTE: You must change the PDCName in the UserMustChangePassword.bat script to be your PDC emulator.

You may also remove the @echo User %1 must change password at next logon line, if you don't wish to display the users who have been affected.

UserMustChangePassword.bat contains:

@echo off
setlocal
:: Determine if <b>Password Never Expires</b>.
for /f "Skip=11 Tokens=2-3" %%i in ('net user %1 /domain') do if "%%i"=="expires" set when="%%j"
if %when% EQU "Never" goto done
:: Change PDCName to be your PDC Emulator
cusrmgr -u %1 +s MustChangePassword -m \\<b>PDCName</b>>nul 2>&1
:: You may remove the following echo.
@echo User %1 must change password at next logon
:done
endlocal