Using the Active Directory command-line tools, in a Windows 2000 domain, or Windows Server 2003 domain, I have scripted Mustchpwd.bat to list all users in my domain who must change their password at next logon.

NOTE: The Mustchpwd.bat script does NOT report accounts that are disabled.

The syntax for using Mustchpwd.bat is:

Mustchpwd

The output is displayed on the CMD console, but you can pipe it to a file using the following syntax:

Mustchpwd>FileName

You can use the output in subsequent commands, as in:

for /f "Tokens=*" %%i in ('Mustchpwd') do SomeCommand %%i

NOTE: See How do I reset most user's passwords, and/or force them to change the password at the next logon?

Mustchpwd.bat contains:

@echo off
setlocal
if exist "%TEMP%\Mustchpwd.tm1" del /q "%TEMP%\Mustchpwd.tm1"
if exist "%TEMP%\Mustchpwd.tm2" del /q "%TEMP%\Mustchpwd.tm2"
set getit=dsquery user domainroot -name * -limit 0
for /f "Tokens=*" %%u in ('%getit%') do set UDN=%%u&call :pwd
if not exist "%TEMP%\Mustchpwd.tm1" endlocal&goto :EOF
sort "%TEMP%\Mustchpwd.tm1" /O "%TEMP%\Mustchpwd.tm2"
type "%TEMP%\Mustchpwd.tm2"
del /q "%TEMP%\Mustchpwd.tm1"
del /q "%TEMP%\Mustchpwd.tm2"
endlocal
goto :EOF
:pwd
for /f "Skip=1 Tokens=1-2" %%i in ('dsget user %UDN% -mustchpwd -disabled') do (
 if /i "%%i" NEQ "dsget" call :report %%i %%j
)
goto :EOF
:report
if /i "%1" EQU "no" goto :EOF
if /i "%2" EQU "yes" goto :EOF
@echo %UDN%>>"%TEMP%\Mustchpwd.tm1"