Hi,
I uploaded some users with pre-set passwords I made up (and those pre-set passwords aren't "changeme") -- I would think that Moodle would default to not forcing a password change but for whatever reason users are being asked to change their password upon their first login.
Could someone let me know where the button is I need to click to disable the force password change?
I can see how to turn it off for an individual user [ users > browse list of users > then pick out an individual, edit their profile, and unclick the "force password change" button] but I can't figure out how to do it in bulk.
Thanks so very much for any help!
-Heather
PS: The issue is for some of these users I originally put them in the system with a "changeme" password. Then, I decided I wanted to just set their password and not have them worry about changing it so I uploaded users again, overriding info that's already in the system about users I'm reuploading, and put in a new non-changeme password.
I just tried deleting a user entirely and then uploading them again with a non-changeme password and they aren't forced to change their password.
So... the real question is -- when they've been uploaded in the past with "changeme" and later on you go back and try and override that password with a non changeme one, how can I also override the forced change password feature that popped up wtih the original "changeme" password.
I hope that's not too confusing!
Hello Heather,
To disable the "force password" in bulk for your users, you will need to do it system wide. To do that you would:
1. Click on the Users tab (under the site admin panel)
2. Under the permissions folder, select the Define roles option
3. Select a role to edit (type of user such as student, guest, teacher, etc)
4. Select the edit button
5. Under the System heading, scroll down to "change own password"
6. Select the Prevent circle
This prevents users in the entire system from being able to change their password. If you want certain users to change their password then you would go into their individual profiles and allow that setting. If you don't do it system wide using the above directions then you will continue to have to manually change the settings for each user.
Hope this helps,
Nicole
I don't think that removing the users' ability to change their own passwords just to solve this problem is a good idea.
The way Moodle remembers that a user should be forced to change their password is with a row in the user_preferences table in the DB. So, to clear this flag for everyone on your site, execute
DELETE FROM mdl_user_preferences WHERE name = 'auth_forcepasswordchange'
(You can execute that SQL with a tool like PHPMyAdmin, or you could more selectively delete rows from that table.)
Always backup everything before editing data directly in the DB.
The way Moodle remembers that a user should be forced to change their password is with a row in the user_preferences table in the DB. So, to clear this flag for everyone on your site, execute
DELETE FROM mdl_user_preferences WHERE name = 'auth_forcepasswordchange'
(You can execute that SQL with a tool like PHPMyAdmin, or you could more selectively delete rows from that table.)
Always backup everything before editing data directly in the DB.
Don't delete, do this:
SELECT * FROM mdl_user_preferences WHERE name='auth_forcepasswordchange' and value='1'
SELECT * FROM mdl_user_preferences WHERE name='auth_forcepasswordchange' and value='1'
The steps were helpful. Thanks for this. There is no save changes button to save the current changes made. Help me out on this.
I followed the below steps,
1. Click on the Users tab (under the site admin panel)
2. Under the permissions folder, select the Define roles option
3. Select a role to edit (type of user such as student, guest, teacher, etc)
4. Select the edit button
5. Under the System heading, scroll down to "change own password"
6. Select the Prevent circle
Couldn't find save button to save the changes. The settings are not saved. Can anybody suggest on this.
No difference for this problem. Don't do this, do this:
In PhpMyAdmin: SQL
SELECT * FROM mdl_user_preferences WHERE name='auth_forcepasswordchange' and value='1'
In PhpMyAdmin: SQL
SELECT * FROM mdl_user_preferences WHERE name='auth_forcepasswordchange' and value='1'
Hi nicole hackett,
Using Moodle version 1.9.7
The posted steps above still not working. Please help me out on this.
Thanks in advance.
Skanda
Using Moodle version 1.9.7
The posted steps above still not working. Please help me out on this.
Thanks in advance.
Skanda
William's advice is correct though the instructions are somewhat terse. here's the full deal I've just worked out:
This does work -- I've just tested it. Now to test out the patch ..........
- Backup the database just in case
$ mysqldump -u moodlebackup -p -C -Q -e moodledatabase >db-preauthfix.sql - Open MySQL as the Moodle user
$ mysql -u moodle_user -p (remember that you can get the password from the config.php) - Now do the database commands:
So basically, you "USE [database]" then the SELECT shows the records to be changed, the UPDATE changes them and if you rerun the SELECT you'll see that there are now no records. If you do screw up you've dumped the database and it's straightforward to reload.mysql> SHOW DATABASES; mysql> USE moodledatabase; mysql> SHOW TABLES; mysql> SELECT * FROM mdl_user_preferences WHERE name='auth_forcepasswordchange' and value='1'; | 468 | 188 | auth_forcepasswordchange | 1 | | 469 | 189 | auth_forcepasswordchange | 1 | +-----+--------+--------------------------+-------+ 79 rows in set (0.00 sec) mysql> UPDATE mdl_user_preferences SET VALUE='0' WHERE NAME='auth_forcepasswordchange' AND VALUE='1'; Query OK, 79 rows affected (0.01 sec) Rows matched: 79 Changed: 79 Warnings: 0
This does work -- I've just tested it. Now to test out the patch ..........
Updating the user_preferences table is OK.
BUT YOU HAVE TO REPEAT it after every new user-upload!
I think the programmers forgot to introduce a new column in the uploaduser.php so that the csv-import could simply use this flag at every one's discretion
username,password,forcePasswordChange
rosario,someSecret,0
Or is there another secret we do not know about? I only remember that this flag was introduced later, and in this case the default setting should be configurable either in the AUTHENTICATION modules or in the security settings of the server, where you can define whether to use a password policy.
Rosario
BUT YOU HAVE TO REPEAT it after every new user-upload!
I think the programmers forgot to introduce a new column in the uploaduser.php so that the csv-import could simply use this flag at every one's discretion
username,password,forcePasswordChange
rosario,someSecret,0
Or is there another secret we do not know about? I only remember that this flag was introduced later, and in this case the default setting should be configurable either in the AUTHENTICATION modules or in the security settings of the server, where you can define whether to use a password policy.
Rosario
I just uploaded another list of users with only these columns:
username,password,firstname,lastname,email,city,country
and I got no auth_forcepasswordchange entries. Maybe there is another behaviour if you use the auth column, like I did before with shibboleth.
And I also uploaded hundreds of students with the auth column I set to shibboleth again as in my first post. And I did not get any auth_forcepasswordchange entries either.
So I'm in doubt whether it is a matter of the password itself: if moodle thinks the password being too weak, it sets the auth_forcepasswordchange flag on its own initiative and if it is something that seems to be strong enough to stay it does not?
The only difference in my uploads was indeed the password. So where is the real logic?
Here is a code snippet from uploaduser.php:
So the forcechangepassword flag is really set depending on the results of the password policy you set as admin in SECURITY->SITE POLICIES. And this explains the strange behaviours we just experienced in different cases.
Rosario
username,password,firstname,lastname,email,city,country
and I got no auth_forcepasswordchange entries. Maybe there is another behaviour if you use the auth column, like I did before with shibboleth.
And I also uploaded hundreds of students with the auth column I set to shibboleth again as in my first post. And I did not get any auth_forcepasswordchange entries either.
So I'm in doubt whether it is a matter of the password itself: if moodle thinks the password being too weak, it sets the auth_forcepasswordchange flag on its own initiative and if it is something that seems to be strong enough to stay it does not?
The only difference in my uploads was indeed the password. So where is the real logic?
Here is a code snippet from uploaduser.php:
if ($value !== '') {
$user->password = hash_internal_user_password($value);
if (!empty($CFG->passwordpolicy) and !check_password_policy($value, $errmsg)) {
$forcechangepassword = true;
$weakpasswords++;
}
}
So the forcechangepassword flag is really set depending on the results of the password policy you set as admin in SECURITY->SITE POLICIES. And this explains the strange behaviours we just experienced in different cases.
Rosario
Hi,
I have a similar problem.
I've uploaded 522 students into our Moodle via CSV in the format:
Username, Password, Firstname, Lastname, Email
However by default the force password option is ticked on user accounts.
Rather than go through each individual account and untick this option I tried option described in the second post:
May I ask, does this work only for new users or for existing users?
Cheers,
I have a similar problem.
I've uploaded 522 students into our Moodle via CSV in the format:
Username, Password, Firstname, Lastname, Email
However by default the force password option is ticked on user accounts.
Rather than go through each individual account and untick this option I tried option described in the second post:
To disable the "force password" in bulk for your users, you will need to do it system wide. To do that you would:
1. Click on the Users tab (under the site admin panel)
2. Under the permissions folder, select the Define roles option
3. Select a role to edit (type of user such as student, guest, teacher, etc)
4. Select the edit button
5. Under the System heading, scroll down to "change own password"
6. Select the Prevent circle
This prevents users in the entire system from being able to change their password. If you want certain users to change their password then you would go into their individual profiles and allow that setting. If you don't do it system wide using the above directions then you will continue to have to manually change the settings for each user.However, the tick is still present in the individual user account? (Even after scrolling down to the bottom of the page and clicking SAVE CHANGES)
May I ask, does this work only for new users or for existing users?
Cheers,
perfect!!!! thank you!
Yes, that worked for me. I just entered the mysql query codes using phpMyAdmin.
Puzzling that with moodle 2.0, even though the "force password change" box is unchecked when uploading users, it somehow got set to '1' in the process....
If you uploaded some users and Force password change is on you can do following:
1. Upload users again using same file (with same user names at least)
2. Select "Update existing users only"
3. In next window: Existing user details -> override with file and defaults
4. Existing user password -> no change
Sometimes the issue has to do with what system requirements you have for password length, type, etc.
I just tried bulk uploading some users and put in a very short password for each of them. When I tried logging-in as a few, they were forced to change their password. I then deleted these accounts manually and tried the bulk upload exactly as before, except that I chose a rather complicated password (involving non alpha-numeric symbols). When I tried logging-in as a few of these users, no password reset was forced.
I haven't checked but I'm pretty sure I set up some stringent password requirements in the past. This may also explain why some uploads result in forced password changes, despite not wanting that. If you go SIte Administration, then click on Security, then Site Policies, you may be able to change the password settings (Password policy, password length) so that you know what kinds of bulk upload passwords will not be forced into being changed.
Thanks, this solution worked for me!