Re: get-aduser | set-aduser
"The passwords had to all be reset again to something unique to the user (DoB and NI number I recall) so that it could be communicated widely. There was then the 2 day password retention rule that prevented anyone changing their password for a couple of days afterwards."
Errr. The passwords were set to something that was, at least in theory, knowable by others and then prevented a change by the user? Surely the requirement should have been to enforce a change on next login.