none
Cannot change password when expired or User account is set User must change password at next logon

    Question

  • Hi.

    All the suddenly about several month ago, some users are saying that they can't change the password when the it is expired.  This is not for all users on the domain only some, and newly created accounts. We have Windows 2003 Server as Domain Controllers. Users are using Windows 7 Pro.

    After entering the password, it asks to enter old and new password twice as normal.  But, when the users enter new password, it comes back to the same screen saying the password is expired, and need to change.  I'm 100% made sure there is no mistake on typing password, and password quality is satisfying the requirement. (length, mixing of characters, not used previously.)

    When a new account is created, and put the option for "User must change password on next logon", the same thing.  When you enter the password, you get "The user's password must be changed before logging on the first time" and ask for new password as normal. But I entered completely different and complicated new passwords, but it would come back to the screen saying "The user's password must be changed before logging on the first time".  I gave full access for all account security permission of the user account object at Active Directly, but no luck. Every 90 days, those users password are expired, I have to enter new password from Active Directory Users and Computers for them now.

    Any idea on what to do to solve this?


    • Edited by tsadmko Thursday, February 9, 2017 11:59 PM
    Thursday, February 9, 2017 11:51 PM

All replies

  • As a test, I tried to logon to the Domain Controller with the user account, and it did change the password.  But I got a message saying "The local policy of this system does not permit you to logon interactively." 

    If I try on Windows 10 PC, it won't let me change...

    Thursday, February 9, 2017 11:56 PM
  • Hi tsadmko,

    This error message has nothing to do with it, its just saying that the user used to login is not part of the Local Remote Desktop Users Group. But regarding the first post, can any of the working users change their password on that same box ? if they cant than there is something wrong with the computer your using.

    thanks, 

    Friday, February 10, 2017 3:35 AM
  • Any particular error message you see on user machine.

    If you are able to change password from DC that means user is unable to contact PDC or GC.

    Check local logon server for affected user.

    Friday, February 10, 2017 5:10 AM
  • Thanks you for the response.

    I tried with other Windows 2003 server, and it worked fine.  So far the problem is happening on Windows 7 and Windows 10 which all our users are.

    Where should I check for "local logon server"?  I tried with other Windows 7 or Windows 10 PCs, but the problem persist.  I'm afraid that GPO is pushing out something, but not sure which one is affecting...  Probably on default GPO since it happens to newly setup (joined domain) and/or newly created user ID..

    I'd appreciate your assistance on this.

    Wednesday, February 15, 2017 9:36 PM
  • I did some more test.

    When I logon to Windows 2008 server it was fine.

    When I create a local account on the PC (not domain account), and force it to change password on next logon, it worked fine too.

    So problem seems to persist only for Domain user account which is forced to change, and it's affecting on Windows 7 or 10 PCs.

    I'm not sure on where to check for the log or error since the PC won't let you logon without changing the password... (Well, Maybe I can remove the force to change, and log on, then logon, and check the event logs..)

    I have a big suspect on GPO we currently have, but we have so many production GPO Objects, and can't tell which one might be causing.

    Thanks,

    Thursday, February 16, 2017 2:13 AM
  • Hi,

    Please run RSOP/gpresult and paste the result directly in our forum so that we can make further analysis.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, February 20, 2017 2:28 AM
    Moderator