KBA-01599: Password Changes for All Users

Question:

Can I force everyone to change passwords?
Can I invalidate passwords for all users?

Answer:

There are several options.  Which is best for you depends on your exact situation.  Contact implementation to discuss your scenario and get help building a script for your exact use case.

Change Password After Next Login

You can make it so that everyone must change their password after their next successful login:

update uc set uc.PWMustChange = 1 from dbo.xsfUser uc where sfUser = 1

Self Service Password Recovery

If you have good email addresses with your contact data, you can make it so that no one knows their password anymore and therefore must use the “Self Service Password Recovery” wizard:

update uc set uc.Password = cast(newid() as varchar(44)) from dbo.xsfUser uc where sfUser = 1

The password recovery wizard validates the user, sends a token to their email address and then allows the user to establish a new password.

Combinations

You can combine some things. For example, if you want to set everyone to the same exact password and require a password change:

DECLARE @PW VARCHAR(99) = ‘WelcomeBack1’;
update uc set uc.password = dbo.f_MD5Native( (ask support),0)
, uc.PWMustChange = 1
from dbo.xsfUser uc
where sfUser = 1

Additional Comments:

You might also consider password expiration and forced password changes. See KBA -01582.

If you have some users you want immune, there are various ways to cover that too
• Add and UserLogin not in (‘immunelogin1‘, ‘immunelogin2‘)
• Add a check for membership in a certain role….


KBA-01599; Last updated: September 19, 2017 at 8:09 am  
Keywords: none