Joe Brown is on the phone. He is locked out of Windows because he has forgotten his password. We could reset his password via Active Directory Users and Computers, but ADUC is very annoyingly clicky.
Of course, it's also possible to unlock Joe Brown's account and reset his password to "33Foo$bars" via NET USER:
net user jbrown 33Foo$bars /domain /active:yes
Unfortunately, the flag requiring him to choose a new password is not set by this command. We, being enlightened administrators, do not want to know any user's permanent password at any time.
Does anyone have an efficient command-line method to unlock/reset and require a password change, using native Windows tools (including PowerShell or VBScript if necessary) but no 3rd-party binaries?
Context: Windows Server 2008 domain.