ADSI可以用来为第一次登录需要更改的windows帐户设置密码吗答案

【问题标题】：Can ADSI be used to set password for windows account requiring change at first logonADSI可以用来为第一次登录需要更改的windows帐户设置密码吗
【发布时间】：2023-04-12 07:08:01
【问题描述】：

我有这个 PowerShell 脚本的修改版本：https://social.technet.microsoft.com/Forums/scriptcenter/en-US/355d9293-e324-4f60-8eed-18bcc6d67fc0/adsiwinntcomputeradministratoruser-with-alternate-credentials?forum=ITCG

尝试更改具有首次登录要求的帐户的密码时失败（我可以使用 ctrl+alt+del 提示手动更改密码，但会经常运行此操作以在映像上进行 VM 测试）。重要的部分是：

Invoke-Command -ComputerName $ComputerName -Credential $Credential -ErrorVariable e -ArgumentList $ComputerName,$NewPassword,$User -ScriptBlock {
            Param($ComputerName,$NewPassword,$User)
            $Account = [ADSI]"WinNT://$ComputerName/$User,user"
            $Account.PwdLastSet = 0
            $Account.SetInfo()
            $Account.SetPassword($NewPassword)
            $Account.SetInfo()
            $e
        }

当我为首次登录时不需要更改的帐户运行此操作时，它成功完成：

> Change-LocalPassword -User 'TestAccount' -Credential $wincred -OldPassword $OP -NewPassword $NP -ComputerName $computerName
Info::Change-LocalPassword::Changing password from <old> to <new>
Info::Change-LocalPassword::Service WinRM is already running on Localhost
Info::Change-LocalPassword::Trusted Hosts Value is: <computer>
Info::Change-LocalPassword Invoking Command: [adsi]WinNT://<computer>/TestAccount,user
True

为需要首次登录的帐户运行时：

Change-LocalPassword -User $Config.win_user -Credential $wincred -OldPassword $Config.winog_passwd -NewPassword $Config.win_passwd -ComputerName $computerName
Info::Change-LocalPassword::Changing password from <old> to <new>
Info::Change-LocalPassword::Service WinRM is already running on Localhost
Info::Change-LocalPassword::Trusted Hosts Value is: <computer>
Info::Change-LocalPassword Invoking Command: [adsi]WinNT://<computer>/<user>,user
[computer] Connecting to remote server <computer> failed with the following error message : Access is denied. For more information, see
the about_Remote_Troubleshooting Help topic.
    + CategoryInfo          : OpenError: (<computer>:String) [], PSRemotingTransportException
    + FullyQualifiedErrorId : AccessDenied,PSSessionStateBroken
-Message Error::Change-LocalPassword::Could not set password for <user> on <computer> [computer] Connecting to remote server <computer> failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
False

本地管理员帐户是计算机上的唯一帐户，并且未加入域。有没有其他人遇到过这种情况并确定了解决方案？

【问题讨论】：

标签： windows powershell change-password adsi

【解决方案1】：

添加密码永不过期的用户标志：

$Account = [ADSI]"WinNT://$ComputerName/$User,user"
        $Account.UserFlags = 65536
        $Account.PwdLastSet = 0
        $Account.SetInfo()
        $Account.SetPassword($NewPassword)
        $Account.SetInfo()

如果您还想添加“用户无法更改密码”，请将上面的行替换为这一行：

$Account.UserFlags = 64 + 65536

【讨论】：

看来我有点循环依赖。机器上唯一的帐户是我试图更改其密码的帐户。执行简单的调用命令失败，使用凭据拒绝访问（假设因为必须首先更改密码）：
PS D:\projects\windows-cloudify> Invoke-Command -ComputerName $computerName -Credential $wincred -ScriptBlock { ls c:\TEMP } [computer] Connecting to remote server <computer> failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic. + CategoryInfo : OpenError: (computer:String) [], PSRemotingTransportException + FullyQualifiedErrorId : AccessDenied,PSSessionStateBroken