Using the Active Directory command-line tools, in a Windows 2000 domain, or Windows Server 2003 domain, I have scripted Mustchpwd.bat to list all users in my domain who must change their password at next logon.

NOTE: The Mustchpwd.bat script does NOT report accounts that are disabled.

The syntax for using Mustchpwd.bat is:


The output is displayed on the CMD console, but you can pipe it to a file using the following syntax:


You can use the output in subsequent commands, as in:

for /f "Tokens=*" %%i in ('Mustchpwd') do SomeCommand %%i

NOTE: See How do I reset most user's passwords, and/or force them to change the password at the next logon?

Mustchpwd.bat contains:

@echo off                              setlocal                              if exist "%TEMP%\Mustchpwd.tm1" del /q "%TEMP%\Mustchpwd.tm1"                              if exist "%TEMP%\Mustchpwd.tm2" del /q "%TEMP%\Mustchpwd.tm2"                              set getit=dsquery user domainroot -name * -limit 0                              for /f "Tokens=*" %%u in ('%getit%') do set UDN=%%u&call :pwd                              if not exist "%TEMP%\Mustchpwd.tm1" endlocal&goto :EOF                              sort "%TEMP%\Mustchpwd.tm1" /O "%TEMP%\Mustchpwd.tm2"                              type "%TEMP%\Mustchpwd.tm2"                              del /q "%TEMP%\Mustchpwd.tm1"                              del /q "%TEMP%\Mustchpwd.tm2"                              endlocal                              goto :EOF                              :pwd                              for /f "Skip=1 Tokens=1-2" %%i in ('dsget user %UDN% -mustchpwd -disabled') do (                               if /i "%%i" NEQ "dsget" call :report %%i %%j                              )                              goto :EOF                              :report                              if /i "%1" EQU "no" goto :EOF                              if /i "%2" EQU "yes" goto :EOF                              @echo %UDN%>>"%TEMP%\Mustchpwd.tm1"